This page shows examples of the audit logs that are generated when you use Workforce Identity Federation. With Workforce Identity Federation, you can allow third-party identities to access Google Cloud resources, without using a service account key.
For more information about enabling and viewing audit logs, see IAM audit logging.
IAM can generate audit logs when you create and manage workforce pools. To enable audit logs when managing workforce pools, you must enable audit logs for Data Access activity for the following API:
- Identity and Access Management (IAM) API (enable log type "Admin Read")
To further configure audit logs for the token-exchange process or Google Cloud console (federated) sign in, you must also enable audit logs for Data Access activity for the following API:
- Security Token Service API (enable log type "Admin Read")
Logs for creating a workforce pool
The following example shows a log entry for creating a workforce pool. In this
example, the user sam@example.com
created a workforce pool with the ID
my-pool
under the organization with the ID 123456789012
.
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "sam@example.com", }, "methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool", "resourceName": "locations/global/workforcePools/my-pool", "serviceName": "iam.googleapis.com", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest", "workforcePool": { "parent": "organizations/123456789012" }, "workforcePoolId": "my-pool" } }, "resource": { "type": "audited_resource" } }
Logs for exchanging an IdP token for a federated token
After you set up your workforce identity pool and workforce identity pool provider, you can create a token for your identity provider (IdP) and exchange it for a federated token.
After you enable Cloud Audit Logs for Data Access activity, IAM generates an audit log entry each time a principal exchanges a token. The log entry includes the following fields:
protoPayload.authenticationInfo.principalSubject
: The subject of the IdP token.- For OIDC IdPs, this field contains the value of the
sub
, or subject, claim from the OIDC token. - For SAML IdPs, this field contains the value of the
NameID
sub-attribute of theSubject
attribute in the SAML assertion.
- For OIDC IdPs, this field contains the value of the
protoPayload.metadata.mapped_principal
: The subject of the token, using IAM syntax to identify the principal:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
protoPayload.resourceName
: The workforce pool provider that the token is associated with.
The following example shows an audit log entry for a request to exchange a token. In this example, an OIDC token is exchanged for a federated token:
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e" }, "metadata": { "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a" }, "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken", "resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider", "serviceName": "sts.googleapis.com", "request": { "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest", "audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider", "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token" } }, "resource": { "type": "audited_resource" } }
Logs for signed and encrypted SAML assertions
This section describes the Cloud Audit Logs log entries that Security Token Service creates when it attempts to verify signed SAML assertions or decrypt encrypted assertions that are sent from your IdP.
For Workforce Identity Federation, the pertinent log entry looks similar to the following:
"keyInfo": [ { "use": "verify" "fingerprint": "3C:B2:47:F8:A5:9A:8A:52:BD:1C:BC:96:B5:45:C1:8D:A7:F1:73:2D" }, { "use": "decrypt" "resourceName": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_NAME/providers/PROVIDER_NAME/keys/KEY_NAME" } ]
This output includes the following values:
fingerprint
: the hexadecimal representation of the SHA-256 hash of the X.509 certificate that was used to verify the signature on the SAML credential. The X.509 certificate is extracted from the SAML XML metadata that is attached to the workforce identity pool provider.resourceName
: the resource name of the workforce identity pool provider key that was used to decrypt the encrypted SAML assertion. This field is present only if identity federation receives an encrypted SAML response from your IdP.
Logs for calling Google Cloud APIs with the federated token
After you exchange the IdP's token for a federated token, you can use the federated token to call Google Cloud APIs. Some of the methods you call might generate audit logs.
The following example shows an audit log entry for a request to list the Cloud Storage buckets in a project using a federated token.
{ "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/012345678901" }, "methodName": "storage.buckets.list", "serviceName": "storage.googleapis.com", }, "resource": { "type": "gcs_bucket" } }
Logs for Google Cloud console (federated) sign in
After you set up your workforce identity pools and their IdPs, users can sign in to Google Cloud using console (federated).
Logs for successful sign-in
This section provides an example Cloud Audit Logs entry that is logged as a result
of a successful sign-in. In this example, the user, user@example.com
, signs in
using a provider
locations/global/workforcePools/my-pool/providers/my-provider
. In this case,
the following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"continueUrl": "https://console.cloud.google",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
The Cloud Audit Logs entry for SAML providers can additionally contain signing key information in the metadata field.
{
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
"keyInfo": [
{
"use": "verify",
"fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
}
],
}
}
Logs for failed sign-in
This section provides an example Cloud Audit Logs entry that is logged as a result
of a failed sign-in. In this example, the user, user@example.com
attempts to
sign-in using a provider
locations/global/workforcePools/my-pool/providers/my-provider
but is denied
access due to an attribute condition not being satisfied. In this case, the
following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"status": {
"code": 3,
"message": "The given credential is rejected by the attribute condition.",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}
Logs for sign-out
This section provides an example Cloud Audit Logs entry that is logged as a result
of a sign-out event. In this example, the user, user@example.com
, who is
signed in using a provider
locations/global/workforcePools/my-pool/providers/my-provider
initiates a
sign-out. In this case, the following Cloud Audit Logs entry is generated:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google"
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignOut"
}
},
}
Logs for signing in with OAuth flow
After you set up your workforce identity pool and workforce identity pool provider, you can use Google Cloud resources using the OAuth flow.
After you enable Cloud Audit Logs for Data Access audit logs activity, IAM generates an audit log entry each time a principal uses the OAuth flow to sign in. The log entry includes the following fields:
protoPayload.authenticationInfo.principalSubject
: The subject of the IdP token.- For OIDC IdPs, this field contains the value of the
sub
, or subject, claim from the OIDC token. - For SAML IdPs, this field contains the value of the
NameID
sub-attribute of theSubject
attribute in the SAML assertion.
- For OIDC IdPs, this field contains the value of the
protoPayload.metadata.mapped_principal
: The subject of the token, using IAM syntax to identify the principal:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
protoPayload.resourceName
: The workforce pool provider that the token is associated with.
The following example shows an audit log entry for a request to exchange a token. In this example, the principal is federated by using an OIDC provider:
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e" }, "metadata": { "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER" }, "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeOauthToken", "resourceName": "locations/global/workforcePools/POOL_ID/providers/WORKFORCE_PROVIDER_ID", "serviceName": "sts.googleapis.com", "request": { "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeOauthTokenRequest", "grantType": "authorization_code", } }, "resource": { "type": "audited_resource" } }
What's next
- Configure and view the audit logs for IAM.
- Get more information about Cloud Audit Logs.
- Set up Workforce Identity Federation using workforce identity pools.