Cannot find request_reason in Cloud Audit Logs

[threat-punter]

TL;DR

I configured this GitHub Action with a request_reason value, but cannot find it in any events in Cloud Audit Logs.

Expected behavior

I set a value for request_reason in my GitHub Actions workflow file and validated that authentication works successfully.

I can't find the request_reason field or the value that I set in any my Cloud Audit Logs. Do you know where this should be logged? Do you have an example query I can use in Logs Explorer to find the events?

auth/README.md

Lines 287 to 291 in c8788cc

	- `request_reason`: (Optional) An optional Reason Request [System
	Parameter](https://cloud.google.com/apis/docs/system-parameters) for each
	API call made by the GitHub Action. This will inject the
	"X-Goog-Request-Reason" HTTP header, which will provide user-supplied
	information in Google Cloud audit logs.

Observed behavior

Unable to find request_reason or the value that I set in any of my Cloud Audit Logs after the GitHub Action authenticates successfully.

Action YAML

name: Workflow 1

on:
  schedule:
  - cron: "5 23 * * *"

  # workflow_dispatch allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

permissions:
  contents: write
  # 'id-token: write' is required to allow GitHub's OIDC provider to create a JSON Web Token for every run
  id-token: write

jobs:
  pull-latest-content:
    runs-on: ubuntu-latest
    
    env:
      LOGGING_LEVEL: ${{ vars.LOGGING_LEVEL }}
      GOOGLE_CLOUD_PROJECT_ID: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GH_PAT }}

      - uses: google-github-actions/auth@v2
        with:
          project_id: ${{ vars.GOOGLE_CLOUD_PROJECT_ID }}
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          access_token_lifetime: 300
          export_environment_variables: true
          create_credentials_file: true
          cleanup_credentials: true
          request_reason: "GitHub Actions - 123456789"

### Log output

_No response_

### Additional information

_No response_

[github-actions]

Hi there @threat-punter 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @threat-punter - can you attach the debug logs? That will help me see whether the header is actually being set on the appropriate API call. Have you enabled CAL and DAL?

[sethvargo]

Hey @threat-punter - any luck after those various changes?

[threat-punter]

I see X-Goog-Request-Reason is being logged by the GitHub Actions workflow now.

I'm not sure what Data Access audit log setting(s) to enable though so that this is logged in my Google Cloud project. 🤔

[sethvargo]

It should be sts.googleapis.com

[threat-punter]

I'll try and find the appropriate setting(s) and report back here. Cheers

[threat-punter]

I have data access audit logging enabled for the Security Token Service API. I can't find the request reason in my logs. Is it logged for you?