Field details of KMS access logs - Key Management Service

This topic describes the fields of Key Management Service (KMS) access logs.

Field name	Description	Example
access_key_fingerprint	If the identity type is Resource Access Management (RAM), the field is not applicable and is empty. If the identity type is application access point (AAP), the field indicates the SHA256 digest for the public key of the AAP client key.	sha256-8cf3a6ad2288597d8ba7dd93970403d22796c7c1a0ab6ee8cbe1380e18e****
access_key_id	If the identity type is RAM, the field indicates the AccessKey ID. If the identity type is AAP, the field indicates the ID of the AAP client key.	KAAP.38742edd-1992-4048-82fa-940b8a90****
account_id	If the identity type is RAM, the field indicates the UID of the Alibaba Cloud account that is used to access the KMS instance. If the identity type is AAP, the field indicates the UID of the Alibaba Cloud account to which the AAP belongs. If the AAP is not found, an error is returned, and this field is left empty.	119285303511****
api_name	The name of the KMS Instance API operation. For more information, see List of operations by function.	GenerateDataKey
api_version	The version number of KMS Instance API.	dkms-gcs-0.2
client_ip	The IP address of the client.	192.168.XX.XX
duration	The request processing latency. Unit: milliseconds.	1.381
error_message	The error message.	The ApiName "<apiname>" is invalid.
identity_type	The identity type. Valid values: RAM: `cloud-account`: an Alibaba Cloud account `ram-user`: a RAM user `ram-role`: a RAM role AAP: `aap`: the client key of an AAP	`ram-user`
instance_id	The ID of the KMS instance.	kst-gzz63ff0d55h5vdas****
level	The level of the log. KMS supports only INFO.	INFO
principal_id	For the RAM identity type: If the value of `identity_type` is `cloud-account`, the field indicates the UID of the Alibaba Cloud account. If the value of `identity_type` is `ram-user`, the field indicates the UID of the RAM user. If the value of `identity_type` is `ram-role`, the field indicates the UID of the RAM role. For the AAP identity type: The value of `identity_type` is `aap`, and the field indicates the name of the AAP. If the AAP is not found, an error is returned, and this field is left empty.	119285301584****
region_id	The region of the KMS instance.	cn-hangzhou
request_id	The request ID.	2753f2f4-efb8-49c8-9817-c60cfe286c2d
resource_id	The identifier of the resource. The value can be a key ID or secret name.	key-hzz62f1cb66fa42qo****
resource_parameters	The additional information about the resource, including the key version (keyVersionId), index ID (Index) in the hardware security module (HSM), and key ID (KeyId). Note If `resource_id` specifies a secret, `KeyId` specifies the key that is used to encrypt the secret. If `resource_id` specifies a key, `KeyId` and `resource_id` have the same value. If `resource_id` specifies a hardware-protected key, Index has a valid value.	{"key_id":"","key_version_id":"key-gzz64675a2ekoi4qj**-njscfe**","index":""}
share_gateway_api_name	The field has a valid value only when the request is initiated by using a KMS endpoint. The value is the name of the API operation. For more information, see List of operations by function.	GenerateDataKey
status_code	The HTTP status code.	200
time	The time when the request starts to be processed. The value is a UNIX timestamp.	2023-07-04T01:52:55Z
user_id	The UID of the Alibaba Cloud account to which the KMS instance belongs.	119285303511****
useragent	The information about the client.	AlibabaCloud (darwin; amd64) Golang/1.15.3 Core/0.01 TeaDSL/1
version	The version number of the log.	V1.0