This document describes audit logging for Firebase Realtime Database. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:
- Types of audit logs
- Audit log entry structure
- Storing and routing audit logs
- Cloud Logging pricing summary
- Enable Data Access audit logs
Notes
Additional information about fields in protoPayload.metadata
for DATA_READ
and DATA_WRITE
operations is available in the reference documentation.
Service name
Firebase Realtime Database audit logs use the service name firebasedatabase.googleapis.com
.
Filter for this service:
protoPayload.serviceName="firebasedatabase.googleapis.com"
Methods by permission type
Each IAM permission has a type
property, whose value is an enum
that can be one of four values: ADMIN_READ
, ADMIN_WRITE
,
DATA_READ
, or DATA_WRITE
. When you call a method,
Firebase Realtime Database generates an audit log whose category is dependent on the
type
property of the permission required to perform the method.
Methods that require an IAM permission with the type
property value
of DATA_READ
, DATA_WRITE
, or ADMIN_READ
generate
Data Access audit logs.
Methods that require an IAM permission with the type
property value
of ADMIN_WRITE
generate
Admin Activity audit logs.
Permission type | Methods |
---|---|
ADMIN_READ |
google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances |
ADMIN_WRITE |
google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance |
DATA_READ |
google.firebase.database.v1.RealtimeDatabase.Connect google.firebase.database.v1.RealtimeDatabase.Disconnect google.firebase.database.v1.RealtimeDatabase.Listen google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel google.firebase.database.v1.RealtimeDatabase.Read google.firebase.database.v1.RealtimeDatabase.Unlisten |
DATA_WRITE |
google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect google.firebase.database.v1.RealtimeDatabase.Update google.firebase.database.v1.RealtimeDatabase.Write |
API interface audit logs
For information about how and which permissions are evaluated for each method, see the Cloud Identity and Access Management documentation for Firebase Realtime Database.
google.firebase.database.v1.RealtimeDatabase
The following audit logs are associated with methods belonging to
google.firebase.database.v1.RealtimeDatabase
.
Connect
- Method:
google.firebase.database.v1.RealtimeDatabase.Connect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.connect - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Connect"
Disconnect
- Method:
google.firebase.database.v1.RealtimeDatabase.Disconnect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.connect - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Disconnect"
Listen
- Method:
google.firebase.database.v1.RealtimeDatabase.Listen
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Listen"
OnDisconnectCancel
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
- Audit log type: Data access
- Permissions:
firebasedatabase.data.cancel - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel"
OnDisconnectPut
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut"
OnDisconnectUpdate
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate"
Read
- Method:
google.firebase.database.v1.RealtimeDatabase.Read
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Read"
RunOnDisconnect
- Method:
google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect"
Unlisten
- Method:
google.firebase.database.v1.RealtimeDatabase.Unlisten
- Audit log type: Data access
- Permissions:
firebasedatabase.data.cancel - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Unlisten"
Update
- Method:
google.firebase.database.v1.RealtimeDatabase.Update
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_WRITE
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Update"
Write
- Method:
google.firebase.database.v1.RealtimeDatabase.Write
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Write"
google.firebase.database.v1beta.RealtimeDatabaseService
The following audit logs are associated with methods belonging to
google.firebase.database.v1beta.RealtimeDatabaseService
.
CreateDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance"
DeleteDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance"
DisableDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.disable - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance"
GetDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
- Audit log type: Data access
- Permissions:
firebasedatabase.instances.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance"
ListDatabaseInstances
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
- Audit log type: Data access
- Permissions:
firebasedatabase.instances.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances"
ReenableDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.reenable - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance"
UndeleteDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.undelete - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance"
Audit authentication information
Audit log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within the AuditLog object:
Establishing realtime connections. Realtime Database
Connect
operations do not log authentication data since Realtime Database authenticates after a connection is established. Therefore,Connect
has no authentication info. TheAuthenticationInfo
object contains a placeholderprincipalEmail
ofaudit-pending-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
.Google Authentication. Realtime Database operations that use standard Google Authentication, such as traffic from Firebase Admin SDK or REST requests authenticated with a standard OAuth token, have an
AuthenticationInfo
object that contains the actual credentials email.Firebase Authentication. Realtime Database operations that use Firebase Authentication have an
AuthenticationInfo
object that contains aprincipalEmail
value ofaudit-third-party-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
. The same is true if you implement your own authentication solution by minting custom JWTs.- If a JSON Web Token (JWT) was used for third-party authentication, the
thirdPartyPrincipal
field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's Firebase Authentication token.
- If a JSON Web Token (JWT) was used for third-party authentication, the
No authentication. Realtime Database operations that do not use any authentication have an
AuthenticationInfo
object that contains aprincipalEmail
value ofaudit-no-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
A Realtime Database instance with open security rules may grant such requests. We recommend all users secure their databases properly.Legacy secrets tokens. Realtime Database operations using legacy tokens have an
AuthenticationInfo
object that contains a placeholderprincipalEmail
ofaudit-secret-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
. For secrets-signed JWT,thirdPartyPrincipal
contains the JWT headers and payload.
Audit Firebase Security Rules evaluations
Cloud Audit logs can be used to identify requests that will be potentially affected by Rules changes.
In the AuthorizationInfo object, authorization.permission
can be one of:
firebasedatabase.data.get
: Read access granted at the path specified inresource
.firebasedatabase.data.update
: Write access granted at the path specified inresource
.firebasedatabase.data.connect
: Placeholder forConnect
andDisconnect
. No authorization required to connect to a Realtime Database instance.firebasedatabase.data.cancel
: Used forUnlisten
andOnDisconnectCancel
. Revoking or canceling a previously-authorized operation requires no additional authorization.
Correlate Cloud Audit logs with Realtime Database profiler results
You can perform in-depth performance analysis on Realtime Database using the Realtime Database profiler in combination with Realtime Database audit logging. Each tool has its strengths.
Cloud Audit Logging | Realtime Database profiler |
---|---|
|
|
Audit log contents correspond to profiler metrics as shown below.
Audit Logging operation name | Special values inRealtimeDatabaseAuditMetadata |
Profiler operation name |
---|---|---|
Connect | RequestType is REALTIME |
concurrent-connect |
Disconnect | RequestType is REALTIME |
concurrent-disconnect |
Read | RequestType is REALTIME |
realtime-read |
Read | RequestType is REST |
rest-read |
Write | RequestType is REALTIME |
realtime-write |
Write | RequestType is REST |
rest-write |
Update | RequestType is REALTIME .
Check PreconditionType . |
realtime-update realtime-transaction |
Update | RequestType is REST .
Check PreconditionType . |
rest-update rest-transaction |
ListenerListen | RequestType is REALTIME |
listener-listen |
ListenerUnlisten | RequestType is REALTIME |
listener-unlisten |
OnDisconnectPut | RequestType is REALTIME |
on-disconnect-put |
OnDisconnectUpdate | RequestType is REALTIME |
on-disconnect-update |
OnDisconnectCancel | RequestType is REALTIME |
on-disconnect-cancel |
RunOnDisconnect | RequestType is REALTIME |
run-on-disconnect |