Example logs for Workforce Identity Federation OAuth application integration
This page provides examples of the audit logs that are generated when you useWorkforce Identity Federation OAuth application integration. WithWorkforce Identity Federation OAuth application integration, you can allowthird-party applications to integrate with Google Cloud through OAuth anduse external identities to access Google Cloud resources.
Each of the following examples shows only the most relevant fields in the log entries.
For more information about enabling and viewing audit logs, seeIdentity and Access Management audit logging.
Required roles
IAM can generate audit logs when you create and manageOAuth clients. To enable audit logs when managing OAuth clients, you mustenable audit logs for Data Access activity for thefollowing API:
- Identity and Access Management API (enable log type "ADMIN_READ")
Logs for creating an OAuth client
The log entry is similar to the following:
{"logName":"projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":PRINCIPAL_EMAIL,},"methodName":"google.iam.admin.v1.OauthClients.CreateOauthClient","resourceName":"projects/PROJECT_NUMBER/locations/global","serviceName":"iam.googleapis.com","request":{"@type":"type.googleapis.com/google.iam.admin.v1.CreateOauthClientRequest","oauthClient":{},"oauthClientId":OAUTH_CLIENT_ID,"parent":"projects/PROJECT_NUMBER/locations/global"}},"resource":{"type":"audited_resource"}}
This log entry includes the following values, which you can use to filter logs:
PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.
PRINCIPAL_EMAIL: the email address of the principal that owns the OAuth client.
OAUTH_CLIENT_ID: the identity of the OAuth client
Logs for creating an OAuth client credential
The log entry is similar to the following:
{"logName":"projects/PROJECT_NUMBER/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":PRINCIPAL_EMAIL,},"methodName":"google.iam.admin.v1.OauthClients.CreateOauthClientCredential","resourceName":"projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID","serviceName":"iam.googleapis.com","request":{"@type":"type.googleapis.com/google.iam.admin.v1.CreateOauthClientCredentialRequest","oauthClientCredential":{},"oauthClientCredentialId":OAUTH_CLIENT_CREDENTIAL_ID,"parent":"projects/PROJECT_NUMBER/locations/global/oauthClients/OAUTH_CLIENT_ID"}},"resource":{"type":"audited_resource"}}
This log entry includes the following values, which you can use to filter logs:
PROJECT_NUMBER: the project number of the project that contains the OAuth application integration.
PRINCIPAL_EMAIL: the email address of the principal that (owns|accessed) the OAuth client.
OAUTH_CLIENT_ID: the identity of the OAuth client
OAUTH_CLIENT_CREDENTIAL_ID: the identity of the OAuth client credential
What's next
- Configure and view the audit logs for IAM.
- Get more information aboutCloud Audit Logs.
- Set upWorkforce OAuth application integration usingOAuth clients.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.