Example logs for Workforce Identity Federation OAuth application integration

This page provides examples of the audit logs that are generated when you useWorkforce Identity Federation OAuth application integration. WithWorkforce Identity Federation OAuth application integration, you can allowthird-party applications to integrate with Google Cloud through OAuth anduse external identities to access Google Cloud resources.

Each of the following examples shows only the most relevant fields in the log entries.

For more information about enabling and viewing audit logs, seeIdentity and Access Management audit logging.

Required roles

IAM can generate audit logs when you create and manageOAuth clients. To enable audit logs when managing OAuth clients, you mustenable audit logs for Data Access activity for thefollowing API:

  • Identity and Access Management API (enable log type "ADMIN_READ")

Logs for creating an OAuth client

The log entry is similar to the following:

{"logName":"projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":PRINCIPAL_EMAIL,},"methodName":"google.iam.admin.v1.OauthClients.CreateOauthClient","resourceName":"projects/PROJECT_NUMBER/locations/global","serviceName":"iam.googleapis.com","request":{"@type":"type.googleapis.com/google.iam.admin.v1.CreateOauthClientRequest","oauthClient":{},"oauthClientId":OAUTH_CLIENT_ID,"parent":"projects/PROJECT_NUMBER/locations/global"}},"resource":{"type":"audited_resource"}}

This log entry includes the following values, which you can use to filter logs:

  • PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.

  • PRINCIPAL_EMAIL: the email address of the principal that owns the OAuth client.

  • OAUTH_CLIENT_ID: the identity of the OAuth client

Logs for creating an OAuth client credential

The log entry is similar to the following:

{"logName":"projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":PRINCIPAL_EMAIL,},"methodName":"google.iam.admin.v1.OauthClients.CreateOauthClientCredential","resourceName":"projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID","serviceName":"iam.googleapis.com","request":{"@type":"type.googleapis.com/google.iam.admin.v1.CreateOauthClientCredentialRequest","oauthClientCredential":{},"oauthClientCredentialId":OAUTH_CLIENT_CREDENTIAL_ID,"parent":"projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID"}},"resource":{"type":"audited_resource"}}

This log entry includes the following values, which you can use to filter logs:

  • PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.

  • PRINCIPAL_EMAIL: the email address of the principal that (owns|accessed) the OAuth client.

  • OAUTH_CLIENT_ID: the identity of the OAuth client

  • OAUTH_CLIENT_CREDENTIAL_ID: the identity of the OAuth client credential

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.