This document describes audit logging for Firebase Realtime Database, including which methods generate audit logs, details about the audit logs each method produces, and which methods do not produce audit logs, if any. Google Cloud generates audit logs that record administrative and access activities within your Google Cloud resources. For more information, see Cloud Audit Logs overview.
Notes
Additional information about fields in protoPayload.metadata
for DATA_READ
and DATA_WRITE
operations is available in the reference documentation.
Service name
Firebase Realtime Database audit logs use the service name firebasedatabase.googleapis.com
.
Methods by permission type
Methods that check DATA_READ
, DATA_WRITE
, and
ADMIN_READ
permissions generate logs categorized as
Data Access audit logs.
Methods that check ADMIN_WRITE
permissions generate logs
categorized as
Admin Activity audit logs.
Permission type | Methods |
---|---|
ADMIN_READ |
google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances |
ADMIN_WRITE |
google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance |
DATA_READ |
google.firebase.database.v1.RealtimeDatabase.Connect google.firebase.database.v1.RealtimeDatabase.Disconnect google.firebase.database.v1.RealtimeDatabase.Listen google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel google.firebase.database.v1.RealtimeDatabase.Read google.firebase.database.v1.RealtimeDatabase.Unlisten |
DATA_WRITE |
google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect google.firebase.database.v1.RealtimeDatabase.Update google.firebase.database.v1.RealtimeDatabase.Write |
Audit logs for each API interface
For information about how and which permissions are evaluated, for each method, see the Cloud Identity and Access Management documentation for Firebase Realtime Database.
google.firebase.database.v1.RealtimeDatabase
The following section contains details about audit logs associated with
methods belonging to google.firebase.database.v1.RealtimeDatabase
.
Connect
- Method:
google.firebase.database.v1.RealtimeDatabase.Connect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.connect - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Connect"
Disconnect
- Method:
google.firebase.database.v1.RealtimeDatabase.Disconnect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.connect - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Disconnect"
Listen
- Method:
google.firebase.database.v1.RealtimeDatabase.Listen
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Listen"
OnDisconnectCancel
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
- Audit log type: Data access
- Permissions:
firebasedatabase.data.cancel - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel"
OnDisconnectPut
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut"
OnDisconnectUpdate
- Method:
google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate"
Read
- Method:
google.firebase.database.v1.RealtimeDatabase.Read
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Read"
RunOnDisconnect
- Method:
google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
- Audit log type: Data access
- Permissions:
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect"
Unlisten
- Method:
google.firebase.database.v1.RealtimeDatabase.Unlisten
- Audit log type: Data access
- Permissions:
firebasedatabase.data.cancel - DATA_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Unlisten"
Update
- Method:
google.firebase.database.v1.RealtimeDatabase.Update
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
firebasedatabase.data.get - DATA_WRITE
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Update"
Write
- Method:
google.firebase.database.v1.RealtimeDatabase.Write
- Audit log type: Data access
- Permissions:
firebasedatabase.data.get - DATA_READ
firebasedatabase.data.get - DATA_WRITE
firebasedatabase.data.update - DATA_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Write"
google.firebase.database.v1beta.RealtimeDatabaseService
The following section contains details about audit logs associated with
methods belonging to google.firebase.database.v1beta.RealtimeDatabaseService
.
CreateDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance"
DeleteDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance"
DisableDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.disable - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance"
GetDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
- Audit log type: Data access
- Permissions:
firebasedatabase.instances.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance"
ListDatabaseInstances
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
- Audit log type: Data access
- Permissions:
firebasedatabase.instances.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances"
ReenableDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.reenable - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance"
UndeleteDatabaseInstance
- Method:
google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
- Audit log type: Admin activity
- Permissions:
firebasedatabase.instances.undelete - ADMIN_WRITE
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance"
Audit authentication information
Audit log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within the AuditLog object:
Establishing realtime connections. Realtime Database
Connect
operations do not log authentication data since Realtime Database authenticates after a connection is established. Therefore,Connect
has no authentication info. TheAuthenticationInfo
object contains a placeholderprincipalEmail
ofaudit-pending-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
.Google Authentication. Realtime Database operations that use standard Google Authentication, such as traffic from Firebase Admin SDK or REST requests authenticated with a standard OAuth token, have an
AuthenticationInfo
object that contains the actual credentials email.Firebase Authentication. Realtime Database operations that use Firebase Authentication have an
AuthenticationInfo
object that contains aprincipalEmail
value ofaudit-third-party-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
. The same is true if you implement your own authentication solution by minting custom JWTs.- If a JSON Web Token (JWT) was used for third-party authentication, the
thirdPartyPrincipal
field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's Firebase Authentication token.
- If a JSON Web Token (JWT) was used for third-party authentication, the
No authentication. Realtime Database operations that do not use any authentication have an
AuthenticationInfo
object that contains aprincipalEmail
value ofaudit-no-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
A Realtime Database instance with open security rules may grant such requests. We recommend all users secure their databases properly.Legacy secrets tokens. Realtime Database operations using legacy tokens have an
AuthenticationInfo
object that contains a placeholderprincipalEmail
ofaudit-secret-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com
. For secrets-signed JWT,thirdPartyPrincipal
contains the JWT headers and payload.
Audit Firebase Security Rules evaluations
Cloud Audit logs can be used to identify requests that will be potentially affected by Rules changes.
In the AuthorizationInfo object, authorization.permission
can be one of:
firebasedatabase.data.get
: Read access granted at the path specified inresource
.firebasedatabase.data.update
: Write access granted at the path specified inresource
.firebasedatabase.data.connect
: Placeholder forConnect
andDisconnect
. No authorization required to connect to a Realtime Database instance.firebasedatabase.data.cancel
: Used forUnlisten
andOnDisconnectCancel
. Revoking or canceling a previously-authorized operation requires no additional authorization.
Correlate Cloud Audit logs with Realtime Database profiler results
You can perform in-depth performance analysis on Realtime Database using the Realtime Database profiler in combination with Realtime Database audit logging. Each tool has its strengths.
Cloud Audit Logging | Realtime Database profiler |
---|---|
|
|
Audit log contents correspond to profiler metrics as shown below.
Audit Logging operation name | Special values inRealtimeDatabaseAuditMetadata |
Profiler operation name |
---|---|---|
Connect | RequestType is REALTIME |
concurrent-connect |
Disconnect | RequestType is REALTIME |
concurrent-disconnect |
Read | RequestType is REALTIME |
realtime-read |
Read | RequestType is REST |
rest-read |
Write | RequestType is REALTIME |
realtime-write |
Write | RequestType is REST |
rest-write |
Update | RequestType is REALTIME .
Check PreconditionType . |
realtime-update realtime-transaction |
Update | RequestType is REST .
Check PreconditionType . |
rest-update rest-transaction |
ListenerListen | RequestType is REALTIME |
listener-listen |
ListenerUnlisten | RequestType is REALTIME |
listener-unlisten |
OnDisconnectPut | RequestType is REALTIME |
on-disconnect-put |
OnDisconnectUpdate | RequestType is REALTIME |
on-disconnect-update |
OnDisconnectCancel | RequestType is REALTIME |
on-disconnect-cancel |
RunOnDisconnect | RequestType is REALTIME |
run-on-disconnect |