Firebase Realtime Database audit logging

This document describes audit logging for Firebase Realtime Database. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:

• Types of audit logs
• Audit log entry structure
• Storing and routing audit logs
• Cloud Logging pricing summary
• Enable Data Access audit logs

Notes

Additional information about fields in protoPayload.metadata for DATA_READ and DATA_WRITEoperations is available in the reference documentation.

Service name

Firebase Realtime Database audit logs use the service name firebasedatabase.googleapis.com. Filter for this service:

    protoPayload.serviceName="firebasedatabase.googleapis.com"
  

Methods by permission type

Each IAM permission has a type property, whose value is an enum that can be one of four values: ADMIN_READ, ADMIN_WRITE, DATA_READ, or DATA_WRITE. When you call a method, Firebase Realtime Database generates an audit log whose category is dependent on the type property of the permission required to perform the method. Methods that require an IAM permission with the type property value of DATA_READ, DATA_WRITE, or ADMIN_READ generate Data Access audit logs. Methods that require an IAM permission with the type property value of ADMIN_WRITE generate Admin Activity audit logs.

API interface audit logs

For information about how and which permissions are evaluated for each method, see the Cloud Identity and Access Management documentation for Firebase Realtime Database.

google.firebase.database.v1.RealtimeDatabase

The following audit logs are associated with methods belonging to google.firebase.database.v1.RealtimeDatabase.

Connect

• Method: google.firebase.database.v1.RealtimeDatabase.Connect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.connect - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Connect"
  

Disconnect

• Method: google.firebase.database.v1.RealtimeDatabase.Disconnect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.connect - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Disconnect"
  

Listen

• Method: google.firebase.database.v1.RealtimeDatabase.Listen
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Listen"
  

OnDisconnectCancel

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.cancel - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectCancel"
  

OnDisconnectPut

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectPut"
  

OnDisconnectUpdate

• Method: google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.OnDisconnectUpdate"
  

Read

• Method: google.firebase.database.v1.RealtimeDatabase.Read
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Read"
  

RunOnDisconnect

• Method: google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.RunOnDisconnect"
  

Unlisten

• Method: google.firebase.database.v1.RealtimeDatabase.Unlisten
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.cancel - DATA_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Unlisten"
  

Update

• Method: google.firebase.database.v1.RealtimeDatabase.Update
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.get - DATA_WRITE
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Update"
  

Write

• Method: google.firebase.database.v1.RealtimeDatabase.Write
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.data.update - DATA_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1.RealtimeDatabase.Write"
  

google.firebase.database.v1beta.RealtimeDatabaseService

The following audit logs are associated with methods belonging to google.firebase.database.v1beta.RealtimeDatabaseService.

CreateDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.create - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.CreateDatabaseInstance"
  

DeleteDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.delete - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DeleteDatabaseInstance"
  

DisableDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.disable - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.DisableDatabaseInstance"
  

GetDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.instances.get - ADMIN_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.GetDatabaseInstance"
  

ListDatabaseInstances

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances
  
• Audit log type: Data access
  
• Permissions:
  • firebasedatabase.instances.list - ADMIN_READ
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ListDatabaseInstances"
  

ReenableDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.reenable - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.ReenableDatabaseInstance"
  

UndeleteDatabaseInstance

• Method: google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance
  
• Audit log type: Admin activity
  
• Permissions:
  • firebasedatabase.instances.undelete - ADMIN_WRITE
• Method is a long-running or streaming operation: No.
  
• Filter for this method: protoPayload.methodName="google.firebase.database.v1beta.RealtimeDatabaseService.UndeleteDatabaseInstance"
  

Audit authentication information

Audit log entries include information about the identity that performed the logged operation. To identify a request caller, see the following fields within the AuditLog object:

• Establishing realtime connections. Realtime Database Connect operations do not log authentication data since Realtime Database authenticates after a connection is established. Therefore, Connect has no authentication info. The AuthenticationInfo object contains a placeholder principalEmail of audit-pending-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com.

• Google Authentication. Realtime Database operations that use standard Google Authentication, such as traffic from Firebase Admin SDK or REST requests authenticated with a standard OAuth token, have an AuthenticationInfo object that contains the actual credentials email.

• Firebase Authentication. Realtime Database operations that use Firebase Authentication have an AuthenticationInfo object that contains a principalEmail value of audit-third-party-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. The same is true if you implement your own authentication solution by minting custom JWTs.

  • If a JSON Web Token (JWT) was used for third-party authentication, the thirdPartyPrincipal field includes the token's header and payload. For example, audit logs for requests authenticated with Firebase Authentication include that request's Firebase Authentication token.

• No authentication. Realtime Database operations that do not use any authentication have an AuthenticationInfo object that contains a principalEmail value of audit-no-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com A Realtime Database instance with open security rules may grant such requests. We recommend all users secure their databases properly.

• Legacy secrets tokens. Realtime Database operations using legacy tokens have an AuthenticationInfo object that contains a placeholder principalEmail of audit-secret-auth@firebasedatabase-{REGION_CODE}-prod.iam.gserviceaccount.com. For secrets-signed JWT, thirdPartyPrincipal contains the JWT headers and payload.

Audit Firebase Security Rules evaluations

Cloud Audit logs can be used to identify requests that will be potentially affected by Rules changes.

In the AuthorizationInfo object, authorization.permission can be one of:

• firebasedatabase.data.get: Read access granted at the path specified in resource.
• firebasedatabase.data.update: Write access granted at the path specified in resource.
• firebasedatabase.data.connect: Placeholder for Connect and Disconnect. No authorization required to connect to a Realtime Database instance.
• firebasedatabase.data.cancel: Used for Unlisten and OnDisconnectCancel. Revoking or canceling a previously-authorized operation requires no additional authorization.

Correlate Cloud Audit logs with Realtime Database profiler results

You can perform in-depth performance analysis on Realtime Database using the Realtime Database profiler in combination with Realtime Database audit logging. Each tool has its strengths.

Audit log contents correspond to profiler metrics as shown below.