- Notifications
You must be signed in to change notification settings - Fork1k
feat: add API key metadata to audit logs#19996
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Draft
ThomasK33 wants to merge1 commit intothomask33/09-26-add_detailed_scope_auth_metricsChoose a base branch
base:thomask33/09-26-add_detailed_scope_auth_metrics
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Draft
feat: add API key metadata to audit logs#19996
ThomasK33 wants to merge1 commit intothomask33/09-26-add_detailed_scope_auth_metricsfromthomask33/09-28-add_api_key_audit_metadata
+296 −6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This was referencedSep 28, 2025
MemberAuthor
ThomasK33 commentedSep 28, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
This stack of pull requests is managed byGraphite. Learn more aboutstacking. |
b00259f toe9a1439CompareUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
8b7a31c to7725526Comparee9a1439 to37565ceCompare7725526 toe2539b7Compared46b7f1 toc9891d7Comparee2539b7 to3bf5bf9Comparec9891d7 toa1ba3a5Compare3bf5bf9 toaeb80bdCompare998cb1d tob3d04caCompare13f3b28 to40a63d8Compareb3d04ca toafb4b9dCompare768ff90 tobf26332Compareafb4b9d to1060d38Comparebf26332 tod817f31Compare1060d38 to403b866Compare Comment on lines +406 to +409
| ifkey,ok:=httpmw.APIKeyOptional(p.Request);ok { | ||
| fields:=APIKeyFields(logCtx,p.Log,key) | ||
| additionalFieldsRaw=mergeAdditionalFields(logCtx,p.Log,additionalFieldsRaw,fields) | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Is this is a lot of extra data to staple to every audit log?
If we are trying to debug rbac failures, the raw input is logged on authz failures. Do we need to have scope metadata on all audit log entries?
d817f31 tob076a30Compare403b866 to5e40a34Compareb076a30 tob020309Compare5e40a34 to4280771Compareb020309 to37cd2d3Compare4280771 to384a406Compare37cd2d3 to807fafeCompare154d4a1 tocafac8dCompare7b72854 to5a425afComparecafac8d to393492aCompare5a425af toe408ecfCompare393492a to2c9a4c1Comparee408ecf toab2a24fCompare2c9a4c1 to7915a16CompareFor any action authenticated via an API key, the audit log now includesmetadata about the key used for the request. This provides visibilityinto the permissions used to perform an action.The metadata is stored in the `request_api_key` field within the`additional_fields` payload and includes the key's ID, name, scopes,allow list, and its effective/expanded scope.Additionally, when an API key is the subject of a create, update, ordelete action, its own metadata is now stored in the `api_key` fieldto provide a more complete record of the change.
7915a16 toe153689Compareab2a24f to802b588CompareSign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enhanced API Key Audit Logging
This PR improves audit logging for API keys by:
Adding detailed API key information to audit logs, including:
Including API key metadata in all audit logs when an API key is used for authentication
Adding tests to verify the new audit fields are properly populated
Updating documentation to reflect that API key scopes and allow lists are now tracked in audit logs
These changes provide administrators with better visibility into API key usage and permissions, making it easier to track and audit API key activities.