Firebase Realtime Database audit logging

This document describes audit logging for Firebase Realtime Database. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:

• Types of audit logs
• Audit log entry structure
• Storing and routing audit logs
• Cloud Logging pricing summary
• Enable Data Access audit logs

Notes

Additional information about fields in protoPayload.metadata for DATA_READ and DATA_WRITEoperations is available in the reference documentation.

Service name

Firebase Realtime Database audit logs use the service name firebasedatabase.googleapis.com. Filter for this service:

    protoPayload.serviceName="firebasedatabase.googleapis.com"
  

Methods by permission type

Each IAM permission has a type property, whose value is an enum that can be one of four values: ADMIN_READ, ADMIN_WRITE, DATA_READ, or DATA_WRITE. When you call a method, Firebase Realtime Database generates an audit log whose category is dependent on the type property of the permission required to perform the method. Methods that require an IAM permission with the type property value of DATA_READ, DATA_WRITE, or ADMIN_READ generate Data Access audit logs. Methods that require an IAM permission with the type property value of ADMIN_WRITE generate Admin Activity audit logs.

Permission type	Methods
ADMIN_READ	google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
ADMIN_WRITE	google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
DATA_READ	google.firebase.database.v1.RealtimeDatabase.Connect google.firebase.database.v1.RealtimeDatabase.Disconnect google.firebase.database.v1.RealtimeDatabase.Listen google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel google.firebase.database.v1.RealtimeDatabase.Read google.firebase.database.v1.RealtimeDatabase.Unlisten
DATA_WRITE	google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect google.firebase.database.v1.RealtimeDatabase.Update google.firebase.database.v1.RealtimeDatabase.Write

API interface audit logs

For information about how and which permissions are evaluated for each method, see the Cloud Identity and Access Management documentation for Firebase Realtime Database.

google.firebase.database.v1.RealtimeDatabase

The following audit logs are associated with methods belonging to google.firebase.database.v1.RealtimeDatabase.

Connect

• Method: google.firebase.database.v1.RealtimeDatabase.Connect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.connect - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Connect"
  

Disconnect

• Method: google.firebase.database.v1.RealtimeDatabase.Disconnect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.connect - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Disconnect"
  

Listen

• Method: google.firebase.database.v1.RealtimeDatabase.Listen
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Listen"
  

OnDisconnectCancel

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.cancel - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel"
  

OnDisconnectPut

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut"
  

OnDisconnectUpdate

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate"
  

Read

• Method: google.firebase.database.v1.RealtimeDatabase.Read
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Read"
  

RunOnDisconnect

• Method: google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect"
  

Unlisten

• Method: google.firebase.database.v1.RealtimeDatabase.Unlisten
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.cancel - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Unlisten"
  

Update

• Method: google.firebase.database.v1.RealtimeDatabase.Update
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_WRITE
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Update"
  

Write

• Method: google.firebase.database.v1.RealtimeDatabase.Write
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Write"
  

google.firebase.database.v1beta.RealtimeDatabaseService

The following audit logs are associated with methods belonging to google.firebase.database.v1beta.RealtimeDatabaseService.

CreateDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.create - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance"
  

DeleteDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.delete - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance"
  

DisableDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.disable - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance"
  

GetDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.instances.get - ADMIN_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance"
  

ListDatabaseInstances

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.instances.list - ADMIN_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances"
  

ReenableDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.reenable - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance"
  

UndeleteDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.undelete - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance"
  

Audit authentication information

Audit log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within the AuditLog object:

• Establishing realtime connections. Realtime Database Connect operations do not log authentication data since Realtime Database authenticates after a connection is established. Therefore, Connect has no authentication info. The AuthenticationInfo object contains a placeholder principalEmail of audit-pending-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com.

• Google Authentication. Realtime Database operations that use standard Google Authentication, such as traffic from Firebase Admin SDK or REST requests authenticated with a standard OAuth token, have an AuthenticationInfo object that contains the actual credentials email.

• Firebase Authentication. Realtime Database operations that use Firebase Authentication have an AuthenticationInfo object that contains a principalEmail value of audit-third-party-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. The same is true if you implement your own authentication solution by minting custom JWTs.

  • If a JSON Web Token (JWT) was used for third-party authentication, the thirdPartyPrincipal field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's Firebase Authentication token.

• No authentication. Realtime Database operations that do not use any authentication have an AuthenticationInfo object that contains a principalEmail value of audit-no-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com A Realtime Database instance with open security rules may grant such requests. We recommend all users secure their databases properly.

• Legacy secrets tokens. Realtime Database operations using legacy tokens have an AuthenticationInfo object that contains a placeholder principalEmail of audit-secret-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. For secrets-signed JWT, thirdPartyPrincipal contains the JWT headers and payload.

Audit Firebase Security Rules evaluations

Cloud Audit logs can be used to identify requests that will be potentially affected by Rules changes.

In the AuthorizationInfo object, authorization.permission can be one of:

• firebasedatabase.data.get: Read access granted at the path specified in resource.
• firebasedatabase.data.update: Write access granted at the path specified in resource.
• firebasedatabase.data.connect: Placeholder for Connect and Disconnect. No authorization required to connect to a Realtime Database instance.
• firebasedatabase.data.cancel: Used for Unlisten and OnDisconnectCancel. Revoking or canceling a previously-authorized operation requires no additional authorization.

Correlate Cloud Audit logs with Realtime Database profiler results

You can perform in-depth performance analysis on Realtime Database using the Realtime Database profiler in combination with Realtime Database audit logging. Each tool has its strengths.

Cloud Audit Logging	Realtime Database profiler
Audits access to databases Continuously captures all requests Allows retrospective querying Contains detailed auth token info Incurs a usage cost	Used for performance analysis Provides useful tooling for hotspot identification and thus performance optimization Can measure listener-broadcast, which is not available in Audit logs due to potential data volume Lightweight and realtime, making it good for live load testing. Audit log entries may take a few minutes to appear.

Audit log contents correspond to profiler metrics as shown below.

Audit Logging operation name	Special values in RealtimeDatabaseAuditMetadata	Profiler operation name
Connect	RequestType is REALTIME	concurrent-connect
Disconnect	RequestType is REALTIME	concurrent-disconnect
Read	RequestType is REALTIME	realtime-read
Read	RequestType is REST	rest-read
Write	RequestType is REALTIME	realtime-write
Write	RequestType is REST	rest-write
Update	RequestType is REALTIME. Check PreconditionType.	realtime-update realtime-transaction
Update	RequestType is REST. Check PreconditionType.	rest-update rest-transaction
ListenerListen	RequestType is REALTIME	listener-listen
ListenerUnlisten	RequestType is REALTIME	listener-unlisten
OnDisconnectPut	RequestType is REALTIME	on-disconnect-put
OnDisconnectUpdate	RequestType is REALTIME	on-disconnect-update
OnDisconnectCancel	RequestType is REALTIME	on-disconnect-cancel
RunOnDisconnect	RequestType is REALTIME	run-on-disconnect