google-cloud-functionsgoogle-secret-manager

Google Secret Manager and Cloud Functions - Audit logs and caller id


I am wondering, if any of you managed to somehow pass aditional data to the logs of Google Secret Manager audit logs? My use case is as following:

  1. I have Cloud Function, that manages CRUD operations on the Secrets.
  2. Those CRUD functions are invoked by user from frontend by Callable function. Only certain, authorised users are able to invoke those actions.

Now, as far as I can see, when I do any of the CRUD operations using this approach, in the audit logs I can only see principalSubject and principalEmail, of the service account that is used to run the Cloud Functions. However, I need information on the user, who triggered this action.

I looked everywhere, and was unable to find any information on that. Did anyone had similar issue?


Solution

  • Posting as a community wiki as per @JohnHanley's comment:

    The user is not making the requests. Your function allows the user to make requests to the function but it is the function's service account's identity (principal) that makes the requests to Google's IAM. You can write your own log entry with additional information but you will not be able to modify the log entries that Google writes.