feat: add API key metadata to audit logs#19996
Closed
ThomasK33 wants to merge 1 commit into
Closed
Conversation
This was referenced Sep 28, 2025
Member
Author
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
b00259f to
e9a1439
Compare
johnstcn
reviewed
Sep 29, 2025
8b7a31c to
7725526
Compare
e9a1439 to
37565ce
Compare
7725526 to
e2539b7
Compare
d46b7f1 to
c9891d7
Compare
e2539b7 to
3bf5bf9
Compare
c9891d7 to
a1ba3a5
Compare
3bf5bf9 to
aeb80bd
Compare
1060d38 to
403b866
Compare
Emyrk
reviewed
Oct 2, 2025
Comment on lines
+406
to
+409
| if key, ok := httpmw.APIKeyOptional(p.Request); ok { | ||
| fields := APIKeyFields(logCtx, p.Log, key) | ||
| additionalFieldsRaw = mergeAdditionalFields(logCtx, p.Log, additionalFieldsRaw, fields) | ||
| } |
Member
There was a problem hiding this comment.
Is this is a lot of extra data to staple to every audit log?
If we are trying to debug rbac failures, the raw input is logged on authz failures. Do we need to have scope metadata on all audit log entries?
d817f31 to
b076a30
Compare
403b866 to
5e40a34
Compare
b076a30 to
b020309
Compare
5e40a34 to
4280771
Compare
b020309 to
37cd2d3
Compare
4280771 to
384a406
Compare
37cd2d3 to
807fafe
Compare
154d4a1 to
cafac8d
Compare
7b72854 to
5a425af
Compare
cafac8d to
393492a
Compare
5a425af to
e408ecf
Compare
393492a to
2c9a4c1
Compare
e408ecf to
ab2a24f
Compare
7915a16 to
e153689
Compare
802b588 to
cb61426
Compare
e153689 to
48d0e45
Compare
For any action authenticated via an API key, the audit log now includes metadata about the key used for the request. This provides visibility into the permissions used to perform an action. The metadata is stored in the `request_api_key` field within the `additional_fields` payload and includes the key's ID, name, scopes, allow list, and its effective/expanded scope. Additionally, when an API key is the subject of a create, update, or delete action, its own metadata is now stored in the `api_key` field to provide a more complete record of the change.
48d0e45 to
0f2c153
Compare
cb61426 to
06d4957
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enhanced API Key Audit Logging
This PR improves audit logging for API keys by:
Adding detailed API key information to audit logs, including:
Including API key metadata in all audit logs when an API key is used for authentication
Adding tests to verify the new audit fields are properly populated
Updating documentation to reflect that API key scopes and allow lists are now tracked in audit logs
These changes provide administrators with better visibility into API key usage and permissions, making it easier to track and audit API key activities.