Example logs for Workforce Identity Federation

This page shows examples of the audit logs that are generated when you use Workforce Identity Federation. With Workforce Identity Federation, you can allow third-party identities to access Google Cloud resources, without using a service account key.

For more information about enabling and viewing audit logs, see IAM audit logging.

IAM can generate audit logs when you create and manage workforce pools. To enable audit logs when managing workforce pools, you must enable audit logs for Data Access activity for the following API:

  • Identity and Access Management (IAM) API (enable log type "Admin Read")

To further configure audit logs for the token-exchange process or Google Cloud console (federated) sign in, you must also enable audit logs for Data Access activity for the following API:

  • Security Token Service API (enable log type "Admin Read")

Logs for creating a workforce pool

The following example shows a log entry for creating a workforce pool. In this example, the user sam@example.com created a workforce pool with the ID my-pool under the organization with the ID 123456789012.

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "sam@example.com",
    },
    "methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool",
    "resourceName": "locations/global/workforcePools/my-pool",
    "serviceName": "iam.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest",
      "workforcePool": {
        "parent": "organizations/123456789012"
      },
      "workforcePoolId": "my-pool"
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

Logs for exchanging an IdP token for a federated token

After you set up your workforce identity pool and workforce identity pool provider, you can create a token for your identity provider (IdP) and exchange it for a federated token.

After you enable Cloud Audit Logs for Data Access activity, IAM generates an audit log entry each time a principal exchanges a token. The log entry includes the following fields:

  • protoPayload.authenticationInfo.principalSubject: The subject of the IdP token.
    • For OIDC IdPs, this field contains the value of the sub, or subject, claim from the OIDC token.
    • For SAML IdPs, this field contains the value of the NameID sub-attribute of the Subject attribute in the SAML assertion.
  • protoPayload.metadata.mapped_principal: The subject of the token, using IAM syntax to identify the principal:

    principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
    
  • protoPayload.resourceName: The workforce pool provider that the token is associated with.

The following example shows an audit log entry for a request to exchange a token. In this example, an OIDC token is exchanged for a federated token:

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e"
    },
    "metadata": {
      "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a"
    },
    "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken",
    "resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider",
    "serviceName": "sts.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest",
      "audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider",
      "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
      "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
      "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token"
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

Logs for signed and encrypted SAML assertions

This section describes the Cloud Audit Logs log entries that Security Token Service creates when it attempts to verify signed SAML assertions or decrypt encrypted assertions that are sent from your IdP.

For Workforce Identity Federation, the pertinent log entry looks similar to the following:

"keyInfo": [
  {
    "use": "verify"
    "fingerprint": "3C:B2:47:F8:A5:9A:8A:52:BD:1C:BC:96:B5:45:C1:8D:A7:F1:73:2D"
  },
  {
    "use": "decrypt"
    "resourceName": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_NAME/providers/PROVIDER_NAME/keys/KEY_NAME"
  }
]

This output includes the following values:

  • fingerprint: the hexadecimal representation of the SHA-256 hash of the X.509 certificate that was used to verify the signature on the SAML credential. The X.509 certificate is extracted from the SAML XML metadata that is attached to the workforce identity pool provider.
  • resourceName: the resource name of the workforce identity pool provider key that was used to decrypt the encrypted SAML assertion. This field is present only if identity federation receives an encrypted SAML response from your IdP.

Logs for calling Google Cloud APIs with the federated token

After you exchange the IdP's token for a federated token, you can use the federated token to call Google Cloud APIs. Some of the methods you call might generate audit logs.

The following example shows an audit log entry for a request to list the Cloud Storage buckets in a project using a federated token.

{
  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/012345678901"
    },
    "methodName": "storage.buckets.list",
    "serviceName": "storage.googleapis.com",
  },
  "resource": {
    "type": "gcs_bucket"
  }
}

Logs for Google Cloud console (federated) sign in

After you set up your workforce identity pools and their IdPs, users can sign in to Google Cloud using console (federated).

Logs for successful sign-in

This section provides an example Cloud Audit Logs entry that is logged as a result of a successful sign-in. In this example, the user, user@example.com, signs in using a provider locations/global/workforcePools/my-pool/providers/my-provider. In this case, the following Cloud Audit Logs entry is generated:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
    "resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "continueUrl": "https://console.cloud.google",
      "host": "http://auth.cloud.google",
    },
    "metadata": {
       "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignIn",
    }
  },
}

The Cloud Audit Logs entry for SAML providers can additionally contain signing key information in the metadata field.

{
  "metadata": {
    "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    "keyInfo": [
      {
        "use": "verify",
        "fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
      }
    ],
  }
}

Logs for failed sign-in

This section provides an example Cloud Audit Logs entry that is logged as a result of a failed sign-in. In this example, the user, user@example.com attempts to sign-in using a provider locations/global/workforcePools/my-pool/providers/my-provider but is denied access due to an attribute condition not being satisfied. In this case, the following Cloud Audit Logs entry is generated:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "status": {
      "code": 3,
      "message": "The given credential is rejected by the attribute condition.",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
    "resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "host": "http://auth.cloud.google",
    },
    "metadata": {
      "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignIn",
    }
  },
}

Logs for sign-out

This section provides an example Cloud Audit Logs entry that is logged as a result of a sign-out event. In this example, the user, user@example.com, who is signed in using a provider locations/global/workforcePools/my-pool/providers/my-provider initiates a sign-out. In this case, the following Cloud Audit Logs entry is generated:

{
  "logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "user@example.com",
    },
    "serviceName": "sts.googleapis.com",
    "methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
    "resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
      "provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
      "host": "http://auth.cloud.google"
    },
    "metadata": {
      "mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "sts.googleapis.com",
      "method": "google.identity.sts.SecurityTokenService.WebSignOut"
    }
  },
}

Logs for signing in with OAuth flow

After you set up your workforce identity pool and workforce identity pool provider, you can use Google Cloud resources using the OAuth flow.

After you enable Cloud Audit Logs for Data Access audit logs activity, IAM generates an audit log entry each time a principal uses the OAuth flow to sign in. The log entry includes the following fields:

  • protoPayload.authenticationInfo.principalSubject: The subject of the IdP token.
    • For OIDC IdPs, this field contains the value of the sub, or subject, claim from the OIDC token.
    • For SAML IdPs, this field contains the value of the NameID sub-attribute of the Subject attribute in the SAML assertion.
  • protoPayload.metadata.mapped_principal: The subject of the token, using IAM syntax to identify the principal:

    principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
    
  • protoPayload.resourceName: The workforce pool provider that the token is associated with.

The following example shows an audit log entry for a request to exchange a token. In this example, the principal is federated by using an OIDC provider:

{
  "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e"
    },
    "metadata": {
      "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER"
    },
    "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeOauthToken",
    "resourceName": "locations/global/workforcePools/POOL_ID/providers/WORKFORCE_PROVIDER_ID",
    "serviceName": "sts.googleapis.com",
    "request": {
      "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeOauthTokenRequest",
      "grantType": "authorization_code",
    }
  },
  "resource": {
    "type": "audited_resource"
  }
}

What's next