本頁面顯示使用員工身分聯盟時產生的稽核記錄範例。透過員工身分聯盟,您可以允許第三方身分存取Google Cloud 資源,不必使用服務帳戶金鑰。
如要進一步瞭解如何啟用及查看稽核記錄,請參閱「IAM 稽核記錄」。
建立及管理員工集區時,IAM 會產生稽核記錄。管理工作人員集區時,如要啟用稽核記錄,您必須為下列 API啟用資料存取活動的稽核記錄:
- Identity and Access Management (IAM) API (啟用「管理員讀取」記錄類型)
如要進一步設定權杖交換程序或Google Cloud 主控台 (已啟用同盟) 登入的稽核記錄,您也必須啟用下列 API 的資料存取活動稽核記錄:
- Security Token Service API (啟用「管理員讀取」記錄類型)
建立工作團隊集區的記錄
以下範例顯示建立工作人員集區的記錄項目。在本範例中,使用者 sam@example.com 在 ID 為 123456789012 的機構下,建立了 ID 為 my-pool 的工作團隊集區。
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "sam@example.com", }, "methodName": "google.iam.admin.v1.WorkforcePools.CreateWorkforcePool", "resourceName": "locations/global/workforcePools/my-pool", "serviceName": "iam.googleapis.com", "request": { "@type": "type.googleapis.com/google.iam.admin.v1.CreateWorkforcePoolRequest", "workforcePool": { "parent": "organizations/123456789012" }, "workforcePoolId": "my-pool" } }, "resource": { "type": "audited_resource" } }
將 IdP 權杖換成聯合權杖的記錄
設定工作團隊身分集區和工作團隊身分集區提供者後,您可以為身分提供者 (IdP) 建立權杖,並將其換成聯盟權杖。
為資料存取活動啟用 Cloud 稽核記錄後,每當主體交換權杖時,IAM 就會產生稽核記錄項目。記錄項目包含下列欄位:
protoPayload.authenticationInfo.principalSubject:IdP 權杖的主體。- 如果是 OIDC IdP,這個欄位會包含 OIDC 權杖中的
sub或主體聲明值。 - 如果是 SAML IdP,這個欄位會包含 SAML 聲明中
Subject屬性的NameID子屬性值。
- 如果是 OIDC IdP,這個欄位會包含 OIDC 權杖中的
protoPayload.metadata.mapped_principal:權杖主體,使用 IAM 語法識別主體:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
protoPayload.resourceName:權杖相關聯的工作團隊集區提供者。
成功交換權杖
以下範例顯示要求交換權杖的稽核記錄檔項目。在本例中,OIDC 權杖會換成聯盟權杖:
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e" }, "metadata": { "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/a1234bcd-5678-9012-efa3-4b5cd678ef9a" }, "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeToken", "resourceName": "locations/global/workforcePools/oidc-pool/providers/oidc-provider", "serviceName": "sts.googleapis.com", "request": { "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeTokenRequest", "audience": "//iam.googleapis.com/locations/global/workforcePools/oidc-pool/providers/oidc-provider", "grantType": "urn:ietf:params:oauth:grant-type:token-exchange", "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token" } }, "resource": { "type": "audited_resource" } }
權杖交換失敗:群組數量過多
以下範例記錄說明權杖交換失敗,因為群組聲明數量超過上限 400 個。
如要記錄工作團隊身分聯盟收到的屬性,您必須在建立工作團隊身分集區提供者時,啟用詳細稽核記錄。
如要瞭解如何透過詳細稽核記錄排解屬性對應錯誤,請參閱一般屬性對應錯誤。
在下列範例中,mappedAttributes 包含從 IdP 收到的屬性,包括群組清單。在本例中,群組數量超出員工身分聯盟的限制。
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 3,
"message": "The current count of 800 mapped attribute google.groups exceeds the 400 count limit. Either modify your attribute mapping or the incoming assertion to produce a mapped attribute that is less than 400."
},
"authenticationInfo": {
"principalSubject": "3Kn-kJQal4N-WXVjxMqcOF1tQcCdBliu97lV-2P-Khc"
},
"requestMetadata": {
"callerIp": "2601:647:4680:9140:9d68:88c9:cab9:a908",
"callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"requestAttributes": {
"time": "2025-04-09T18:32:34.979311Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"authorizationInfo": [
{
"permission": "sts.identityProviders.checkLogging",
"granted": false,
"permissionType": "ADMIN_READ"
}
],
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "auth-staging.corp.cloud.google"
},
"metadata": {
"mappedAttributes": {
"google.subject": "3Nk-kJQal4N-WXVjxMqcOF1tQcCdBliu97lV-2P-Khc",
"google.providerId": "my-provider-id",
"google.groups": "[group-claim-1, group-claim-2, ..., group-claim-800]"
}
}
},
"insertId": "-llnhbmck3a",
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn"
}
},
"timestamp": "2025-04-09T18:32:34.208412Z",
"severity": "ERROR",
"logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2025-04-09T18:32:35.059811619Z"
}
已簽署及加密 SAML 宣告的記錄
本節說明 Security Token Service 嘗試驗證已簽署的 SAML 判斷或解密從 IdP 傳送的加密判斷時,建立的 Cloud 稽核記錄記錄項目。
如果是員工身分聯盟,相關的記錄項目如下所示:
"keyInfo": [
{
"use": "verify"
"fingerprint": "3C:B2:47:F8:A5:9A:8A:52:BD:1C:BC:96:B5:45:C1:8D:A7:F1:73:2D"
},
{
"use": "decrypt"
"resourceName": "//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_NAME/providers/PROVIDER_NAME/keys/KEY_NAME"
}
]
這項輸出內容包含下列值:
fingerprint:用於驗證 SAML 憑證簽章的 X.509 憑證 SHA-256 雜湊十六進位表示法。X.509 憑證是從附加至工作團隊身分集區提供者的 SAML XML 中繼資料中擷取。resourceName:用於解密加密 SAML 判斷的 workforce 身分識別集區提供者金鑰資源名稱。只有在身分同盟收到來自 IdP 的加密 SAML 回應時,才會顯示這個欄位。
使用同盟權杖呼叫 Google Cloud API 的記錄
將 IdP 權杖換成同盟權杖後,您就可以使用同盟權杖呼叫 Google Cloud API。您呼叫的部分方法可能會產生稽核記錄。
以下範例顯示使用同盟權杖列出專案中 Cloud Storage 值區的要求,所產生的稽核記錄項目。
{ "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "principal://iam.googleapis.com/locations/global/workforcePools/oidc-pool/subject/kalani@altostrat.com" }, "methodName": "storage.buckets.list", "serviceName": "storage.googleapis.com", }, "resource": { "type": "gcs_bucket" } }
Google Cloud 控制台 (聯盟) 登入記錄
設定工作團隊身分集區和 IdP 後,使用者就能透過控制台 (聯合)登入 Google Cloud 。
成功登入的記錄
本節提供 Cloud 稽核記錄項目範例,該項目是使用者成功登入後記錄的結果。在本例中,使用者 user@example.com 透過供應商 locations/global/workforcePools/my-pool/providers/my-provider 登入。在本例中,系統會產生下列 Cloud 稽核記錄項目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"continueUrl": "https://console.cloud.google",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}SAML 提供者的 Cloud 稽核記錄項目,可能還會在 metadata 欄位中包含簽署金鑰資訊。
{
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
"keyInfo": [
{
"use": "verify",
"fingerprint": "AE:CK:LM:EF:LK:OG:EH:IJ:KN:AL:OM:AD:NO",
}
],
}
}登入失敗記錄
本節提供因登入失敗而記錄的 Cloud 稽核記錄項目範例。在這個範例中,使用者 user@example.com 嘗試使用供應商 locations/global/workforcePools/my-pool/providers/my-provider 登入,但由於屬性條件未獲滿足,因此遭到拒絕存取。在此情況下,系統會產生下列 Cloud 稽核記錄項目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"status": {
"code": 3,
"message": "The given credential is rejected by the attribute condition.",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignIn",
"resourceName": "locations/global/workforcePools/my-pool/subject/user@example.com",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignInRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google",
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignIn",
}
},
}登出記錄
本節提供 Cloud 稽核記錄項目範例,該項目是因登出事件而記錄。在本例中,使用者 user@example.com 透過供應商 locations/global/workforcePools/my-pool/providers/my-provider 登入,並發起登出作業。在本例中,系統會產生下列 Cloud 稽核記錄項目:
{
"logName": "organizations/my-organization-id/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalSubject": "user@example.com",
},
"serviceName": "sts.googleapis.com",
"methodName": "google.identity.sts.SecurityTokenService.WebSignOut",
"resourceName": "locations/global/workforcePools/my-pool/providers/my-provider",
"request": {
"@type": "type.googleapis.com/google.identity.sts.SecurityTokenService.WebSignOutRequest",
"provider": "//iam.googleapis.com/locations/global/workforcePools/my-pool/providers/my-provider",
"host": "http://auth.cloud.google"
},
"metadata": {
"mappedPrincipal": "principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/user@example.com",
}
},
"resource": {
"type": "audited_resource",
"labels": {
"service": "sts.googleapis.com",
"method": "google.identity.sts.SecurityTokenService.WebSignOut"
}
},
}使用 OAuth 流程登入的記錄
設定工作團隊身分集區和工作團隊身分集區提供者後,您可以使用 OAuth 流程存取 Google Cloud 資源。
為資料存取稽核記錄活動啟用 Cloud 稽核記錄後,主體每次使用 OAuth 流程登入時,IAM 都會產生稽核記錄項目。記錄項目包含下列欄位:
protoPayload.authenticationInfo.principalSubject:IdP 權杖的主體。- 如果是 OIDC IdP,這個欄位會包含 OIDC 權杖中的
sub或主體聲明值。 - 如果是 SAML IdP,這個欄位會包含 SAML 聲明中
Subject屬性的NameID子屬性值。
- 如果是 OIDC IdP,這個欄位會包含 OIDC 權杖中的
protoPayload.metadata.mapped_principal:權杖主體,使用 IAM 語法識別主體:principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER
protoPayload.resourceName:權杖相關聯的工作團隊集區提供者。
以下範例顯示要求交換權杖的稽核記錄檔項目。在本例中,主體是透過 OIDC 提供者進行同盟:
{ "logName": "organizations/123456789012/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalSubject": "b6112abb-5791-4507-adb5-7e8cc306eb2e" }, "metadata": { "mapped_principal": "principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/IDENTIFIER" }, "methodName": "google.identity.sts.v1.SecurityTokenService.ExchangeOauthToken", "resourceName": "locations/global/workforcePools/POOL_ID/providers/WORKFORCE_PROVIDER_ID", "serviceName": "sts.googleapis.com", "request": { "@type": "type.googleapis.com/google.identity.sts.v1.ExchangeOauthTokenRequest", "grantType": "authorization_code", } }, "resource": { "type": "audited_resource" } }
後續步驟
- 設定及查看 IAM 的稽核記錄。
- 進一步瞭解 Cloud 稽核記錄。
- 使用工作團隊身分集區設定員工身分聯盟。