KMS access logs contain the following fields.
Field reference
| Field name | Description | Example |
|---|---|---|
access_key_fingerprint | The SHA256 digest of the application access point (AAP) client key's public key. Empty when identity_type is a RAM identity. | sha256-8cf3a6ad2288597d8ba7dd93970403d22796c7c1a0ab6ee8cbe1380e18e**** |
access_key_id | The AccessKey ID (RAM identity) or the AAP client key ID (AAP identity). | KAAP.38742edd-1992-4048-82fa-940b8a90**** |
account_id | The UID of the Alibaba Cloud account used to access the KMS instance (RAM identity), or the UID of the Alibaba Cloud account to which the AAP belongs (AAP identity). Empty if the AAP is not found. | 119285303511**** |
api_name | The name of the KMS Instance API operation. For a full list, see List of operations by function. | GenerateDataKey |
api_version | The version of the KMS Instance API. | dkms-gcs-0.2 |
client_ip | The IP address of the client. | 192.168.XX.XX |
duration | The request processing latency, in milliseconds. | 1.381 |
error_message | The error message. | The ApiName "<apiname>" is invalid. |
identity_type | The identity type. Valid values: cloud-account (Alibaba Cloud account), ram-user (RAM user), ram-role (RAM role), aap (AAP client key). | ram-user |
instance_id | The ID of the KMS instance. | kst-gzz63ff0d55h5vdas**** |
level | The log level. Always INFO. | INFO |
principal_id | The UID of the RAM identity (cloud account, RAM user, or RAM role), or the name of the AAP. Empty if the AAP is not found. | 119285301584**** |
region_id | The region where the KMS instance is deployed. | cn-hangzhou |
request_id | The unique identifier of the request. | 2753f2f4-efb8-49c8-9817-c60cfe286c2d |
resource_id | The key ID or secret name associated with the request. | key-hzz62f1cb66fa42qo* *** |
resource_parameters | Additional resource details, including the key version (key_version_id), the index in the hardware security module (HSM) (index), and the key ID (key_id). If resource_id is a secret, key_id identifies the key used to encrypt that secret. If resource_id is a key, key_id equals resource_id. index has a value only for hardware-protected keys. | {"key_id":"","key_version_id":"key-gzz64675a2ekoi4qj**-njscfe**","index":""} |
share_gateway_api_name | The name of the API operation when the request is made through a KMS endpoint. For a full list, see List of operations by function. Empty for requests not made through a KMS endpoint. | GenerateDataKey |
status_code | The HTTP status code of the response. | 200 |
time | The time when the request starts to be processed. The value is a UNIX timestamp. | 2023-07-04T01:52:55Z |
user_id | The UID of the Alibaba Cloud account to which the KMS instance belongs. | 119285303511**** |
useragent | The information about the client. | AlibabaCloud (darwin; amd64) Golang/1.15.3 Core/0.01 TeaDSL/1 |
version | The version of the log format. | V1.0 |
Identity type and field values
The identity_type field determines what values appear in the identity-related fields. Use the following table to understand the combinations.
identity_type value | Identity | access_key_id | access_key_fingerprint | account_id | principal_id |
|---|---|---|---|---|---|
cloud-account | Alibaba Cloud account | AccessKey ID | Empty | Account UID | Account UID |
ram-user | RAM user | AccessKey ID | Empty | Account UID | RAM user UID |
ram-role | RAM role | AccessKey ID | Empty | Account UID | RAM role UID |
aap | AAP client key | AAP client key ID | SHA256 digest of client key public key | Account UID of AAP owner (empty if AAP not found) | AAP name (empty if AAP not found) |