Firebase Realtime Database audit logging

This document describes audit logging for Firebase Realtime Database. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:

Notes

Additional information about fields in protoPayload.metadata for DATA_READ and DATA_WRITEoperations is available in the reference documentation.

Service name

Firebase Realtime Database audit logs use the service name firebasedatabase.googleapis.com. Filter for this service:

    protoPayload.serviceName="firebasedatabase.googleapis.com"
  

Methods by permission type

Each IAM permission has a type property, whose value is an enum that can be one of four values: ADMIN_READ, ADMIN_WRITE, DATA_READ, or DATA_WRITE. When you call a method, Firebase Realtime Database generates an audit log whose category is dependent on the type property of the permission required to perform the method. Methods that require an IAM permission with the type property value of DATA_READ, DATA_WRITE, or ADMIN_READ generate Data Access audit logs. Methods that require an IAM permission with the type property value of ADMIN_WRITE generate Admin Activity audit logs.

Permission type Methods
ADMIN_READ google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
ADMIN_WRITE google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
DATA_READ google.firebase.database.v1.RealtimeDatabase.Connect
google.firebase.database.v1.RealtimeDatabase.Disconnect
google.firebase.database.v1.RealtimeDatabase.Listen
google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
google.firebase.database.v1.RealtimeDatabase.Read
google.firebase.database.v1.RealtimeDatabase.Unlisten
DATA_WRITE google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
google.firebase.database.v1.RealtimeDatabase.Update
google.firebase.database.v1.RealtimeDatabase.Write

API interface audit logs

For information about how and which permissions are evaluated for each method, see the Cloud Identity and Access Management documentation for Firebase Realtime Database.

google.firebase.database.v1.RealtimeDatabase

The following audit logs are associated with methods belonging to google.firebase.database.v1.RealtimeDatabase.

Connect

  • Method: google.firebase.database.v1.RealtimeDatabase.Connect
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.connect - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Connect"

Disconnect

  • Method: google.firebase.database.v1.RealtimeDatabase.Disconnect
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.connect - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Disconnect"

Listen

  • Method: google.firebase.database.v1.RealtimeDatabase.Listen
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.get - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Listen"

OnDisconnectCancel

  • Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.cancel - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel"

OnDisconnectPut

  • Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut"

OnDisconnectUpdate

  • Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate"

Read

  • Method: google.firebase.database.v1.RealtimeDatabase.Read
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.get - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Read"

RunOnDisconnect

  • Method: google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect"

Unlisten

  • Method: google.firebase.database.v1.RealtimeDatabase.Unlisten
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.cancel - DATA_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Unlisten"

Update

  • Method: google.firebase.database.v1.RealtimeDatabase.Update
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.get - DATA_WRITE
    • firebasedatabase.data.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Update"

Write

  • Method: google.firebase.database.v1.RealtimeDatabase.Write
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.data.update - DATA_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Write"

google.firebase.database.v1beta.RealtimeDatabaseService

The following audit logs are associated with methods belonging to google.firebase.database.v1beta.RealtimeDatabaseService.

CreateDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
  • Audit log type: Admin activity
  • Permissions:
    • firebasedatabase.instances.create - ADMIN_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance"

DeleteDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
  • Audit log type: Admin activity
  • Permissions:
    • firebasedatabase.instances.delete - ADMIN_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance"

DisableDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
  • Audit log type: Admin activity
  • Permissions:
    • firebasedatabase.instances.disable - ADMIN_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance"

GetDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.instances.get - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance"

ListDatabaseInstances

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
  • Audit log type: Data access
  • Permissions:
    • firebasedatabase.instances.list - ADMIN_READ
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances"

ReenableDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
  • Audit log type: Admin activity
  • Permissions:
    • firebasedatabase.instances.reenable - ADMIN_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance"

UndeleteDatabaseInstance

  • Method: google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
  • Audit log type: Admin activity
  • Permissions:
    • firebasedatabase.instances.undelete - ADMIN_WRITE
  • Method is a long-running or streaming operation: No.
  • Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance"

Audit authentication information

Audit log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within the AuditLog object:

  • Establishing realtime connections. Realtime Database Connect operations do not log authentication data since Realtime Database authenticates after a connection is established. Therefore, Connect has no authentication info. The AuthenticationInfo object contains a placeholder principalEmail of audit-pending-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com.

  • Google Authentication. Realtime Database operations that use standard Google Authentication, such as traffic from Firebase Admin SDK or REST requests authenticated with a standard OAuth token, have an AuthenticationInfo object that contains the actual credentials email.

  • Firebase Authentication. Realtime Database operations that use Firebase Authentication have an AuthenticationInfo object that contains a principalEmail value of audit-third-party-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. The same is true if you implement your own authentication solution by minting custom JWTs.

    • If a JSON Web Token (JWT) was used for third-party authentication, the thirdPartyPrincipal field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's Firebase Authentication token.
  • No authentication. Realtime Database operations that do not use any authentication have an AuthenticationInfo object that contains a principalEmail value of audit-no-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com A Realtime Database instance with open security rules may grant such requests. We recommend all users secure their databases properly.

  • Legacy secrets tokens. Realtime Database operations using legacy tokens have an AuthenticationInfo object that contains a placeholder principalEmail of audit-secret-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. For secrets-signed JWT, thirdPartyPrincipal contains the JWT headers and payload.

Audit Firebase Security Rules evaluations

Cloud Audit logs can be used to identify requests that will be potentially affected by Rules changes.

In the AuthorizationInfo object, authorization.permission can be one of:

  • firebasedatabase.data.get: Read access granted at the path specified in resource.
  • firebasedatabase.data.update: Write access granted at the path specified in resource.
  • firebasedatabase.data.connect: Placeholder for Connect and Disconnect. No authorization required to connect to a Realtime Database instance.
  • firebasedatabase.data.cancel: Used for Unlisten and OnDisconnectCancel. Revoking or canceling a previously-authorized operation requires no additional authorization.

Correlate Cloud Audit logs with Realtime Database profiler results

You can perform in-depth performance analysis on Realtime Database using the Realtime Database profiler in combination with Realtime Database audit logging. Each tool has its strengths.

Cloud Audit Logging Realtime Database profiler
  • Audits access to databases
  • Continuously captures all requests
  • Allows retrospective querying
  • Contains detailed auth token info
  • Incurs a usage cost
  • Used for performance analysis
  • Provides useful tooling for hotspot identification and thus performance optimization
  • Can measure listener-broadcast, which is not available in Audit logs due to potential data volume
  • Lightweight and realtime, making it good for live load testing. Audit log entries may take a few minutes to appear.

Audit log contents correspond to profiler metrics as shown below.

Audit Logging operation name Special values in
RealtimeDatabaseAuditMetadata
Profiler operation name
Connect RequestType is REALTIME concurrent-connect
Disconnect RequestType is REALTIME concurrent-disconnect
Read RequestType is REALTIME realtime-read
Read RequestType is REST rest-read
Write RequestType is REALTIME realtime-write
Write RequestType is REST rest-write
Update RequestType is REALTIME.
Check PreconditionType.
realtime-update
realtime-transaction
Update RequestType is REST.
Check PreconditionType.
rest-update
rest-transaction
ListenerListen RequestType is REALTIME listener-listen
ListenerUnlisten RequestType is REALTIME listener-unlisten
OnDisconnectPut RequestType is REALTIME on-disconnect-put
OnDisconnectUpdate RequestType is REALTIME on-disconnect-update
OnDisconnectCancel RequestType is REALTIME on-disconnect-cancel
RunOnDisconnect RequestType is REALTIME run-on-disconnect