Audit Logs
List Audit Log Events Handler V1
/api/orgs/{orgName}/auditlogsLists audit log events for an organization. Either continuationToken or startTime is required. Supports filtering by event type and user.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalToken for paginated result retrievalendTimeinteger query optionalUpper bound of the query range (unix timestamp)eventFilterstring query optionalFilter audit logs by event typeformatstring query optionalResponse format: ‘json’ (default)startTimeinteger query optionalReturns entries older than this timestamp (unix timestamp)userFilterstring query optionalFilter audit logs by username
Responses
continuationTokenstring optionalA continuation token for paginating through audit log results.- The list of audit log events.
- ↳
timestampinteger requiredUnix epoch timestamp (seconds) when the event occurred. - ↳
sourceIPstring requiredIP address of the client that triggered the event. - ↳
eventstring requiredThe audit event type identifier (e.g. ‘stack.update’, ‘member.added’). - ↳
descriptionstring requiredHuman-readable description of the event. - The user who performed the action.
- ↳
tokenIDstring optionalID of the access token used to authenticate, if applicable. - ↳
tokenNamestring optionalName of the access token used to authenticate, if applicable. - ↳
reqOrgAdminboolean optionalWhether the action that triggered this event required the organization ADMIN role. - ↳
reqStackAdminboolean optionalWhether the action required stack admin privileges. - ↳
authFailureboolean optionalWhether this event represents a failed authentication attempt. - ↳
actorNamestring optionalDisplay name of the non-human actor (e.g. deploy token name) that triggered the event. - ↳
actorUrnstring optionalPulumi URN of the non-human actor that triggered the event.
Export Audit Log Events Handler V1
/api/orgs/{orgName}/auditlogs/exportExports audit log events for an organization in a downloadable format. Audit logs provide an immutable record of all user activity within the organization, including stack operations, member changes, and policy modifications. Results can be filtered by time range, event type, and user. Supported export formats are CSV and CEF (Common Event Format for SIEM integration). Pagination is supported via the continuationToken parameter.
Important: This endpoint differs from other API endpoints:
- The response is always gzip compressed. Use
--compressedwith curl or handle gzip decompression in your client. - The
Content-Type: application/jsonresponse header is omitted.
Note: In V1, startTime specifies the upper bound of the query range. Use the V2 endpoint for more intuitive time range semantics.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalToken for paginated result retrievalendTimeinteger query optionalUpper bound of the query range (unix timestamp)eventFilterstring query optionalFilter audit logs by event typeformatstring query optionalResponse format: ‘cef’ or ‘csv’ (defaults to csv)startTimeinteger query optionalReturns entries older than this timestamp (unix timestamp)userFilterstring query optionalFilter audit logs by username
Responses
Get Audit Log Export Configuration
/api/orgs/{orgName}/auditlogs/export/configGetAuditLogExportConfiguration returns the organization’s current audit log export configuration. If the organization has not configured its audit logs for export, returns a 404.
Request Parameters
orgNamestring path requiredThe organization name
Responses
enabledboolean requiredWhether audit log export is currently active. May be paused automatically if the configured destination repeatedly fails to authenticate.- The S3 configuration for exporting audit logs.
- ↳
s3BucketNamestring requiredName of the S3 bucket to export audit logs to. - ↳
s3PathPrefixstring optionalOptional path prefix within the S3 bucket for exported log files. - ↳
iamRoleArnstring requiredARN of the IAM role that Pulumi will assume to write to the S3 bucket. - The result of the last audit log export attempt.
- ↳
timestampinteger requiredThe timestamp - ↳
messagestring requiredIf the last result was successful, message will be “”. Any other value is a user-facing error message.
Update Audit Log Export Configuration
/api/orgs/{orgName}/auditlogs/export/configCreates or updates the organization’s automated audit log export configuration. Audit log export enables automatic delivery of audit events to an S3 bucket for long-term retention and SIEM integration. The configuration includes the S3 bucket details and IAM role for authentication. This feature is available on Business Critical edition.
Request Parameters
orgNamestring path requiredThe organization name
Request Body
newEnabledboolean requiredWhether the audit log export is enabled.- The new S3 configuration for audit log export.
- ↳
s3BucketNamestring requiredName of the S3 bucket to export audit logs to. - ↳
s3PathPrefixstring optionalOptional path prefix within the S3 bucket for exported log files. - ↳
iamRoleArnstring requiredARN of the IAM role that Pulumi will assume to write to the S3 bucket.
Responses
Delete Audit Log Export Configuration
/api/orgs/{orgName}/auditlogs/export/configDeleteAuditLogExportConfiguration removes an organization’s audit log export settings. Skip feature validation so removal can happen if org no longer has access to feature.
Request Parameters
orgNamestring path requiredThe organization name
Responses
Force Audit Log Export
/api/orgs/{orgName}/auditlogs/export/config/forceForceAuditLogExport exports the audit logs for the organization for a user-supplied timestamp. This can be used to backfill data that may have been missed due to an outage or permissions issue.
Request Parameters
orgNamestring path requiredThe organization nametimestampinteger query optionalUnix timestamp to export audit logs for (used for backfilling missed data)
Responses
timestampinteger requiredThe timestampmessagestring requiredIf the last result was successful, message will be “”. Any other value is a user-facing error message.
Test Audit Log Export Configuration
/api/orgs/{orgName}/auditlogs/export/config/testTestAuditLogExportConfiguration uses the provided audit log configuration and checks if we are able to successfully write some data.
Request Parameters
orgNamestring path requiredThe organization name
Request Body
s3BucketNamestring requiredName of the S3 bucket to export audit logs to.s3PathPrefixstring optionalOptional path prefix within the S3 bucket for exported log files.iamRoleArnstring requiredARN of the IAM role that Pulumi will assume to write to the S3 bucket.
Responses
timestampinteger requiredThe timestampmessagestring requiredIf the last result was successful, message will be “”. Any other value is a user-facing error message.
Get Audit Logs Reader Kind
/api/orgs/{orgName}/auditlogs/reader-kindGetAuditLogsReaderKind returns whether the audit log is being read from MySQL or DynamoDB to control the event filtering UI on the front end.
Request Parameters
orgNamestring path requiredThe organization name
Responses
List Audit Log Events Handler V2
/api/orgs/{orgName}/auditlogs/v2Lists audit log events for an organization. Uses startTime as the lower bound and endTime as the upper bound of the query range. Supports filtering by event type and user.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalToken for paginated result retrievalendTimeinteger query optionalUpper bound of the query range (unix timestamp)eventFilterstring query optionalFilter audit logs by event typeformatstring query optionalResponse format: ‘json’ (default)startTimeinteger query optionalLower bound of the query range (unix timestamp)userFilterstring query optionalFilter audit logs by username
Responses
continuationTokenstring optionalA continuation token for paginating through audit log results.- The list of audit log events.
- ↳
timestampinteger requiredUnix epoch timestamp (seconds) when the event occurred. - ↳
sourceIPstring requiredIP address of the client that triggered the event. - ↳
eventstring requiredThe audit event type identifier (e.g. ‘stack.update’, ‘member.added’). - ↳
descriptionstring requiredHuman-readable description of the event. - The user who performed the action.
- ↳
tokenIDstring optionalID of the access token used to authenticate, if applicable. - ↳
tokenNamestring optionalName of the access token used to authenticate, if applicable. - ↳
reqOrgAdminboolean optionalWhether the action that triggered this event required the organization ADMIN role. - ↳
reqStackAdminboolean optionalWhether the action required stack admin privileges. - ↳
authFailureboolean optionalWhether this event represents a failed authentication attempt. - ↳
actorNamestring optionalDisplay name of the non-human actor (e.g. deploy token name) that triggered the event. - ↳
actorUrnstring optionalPulumi URN of the non-human actor that triggered the event.
Export Audit Log Events Handler V2
/api/orgs/{orgName}/auditlogs/v2/exportExports audit log events in a downloadable format (CSV or CEF). Supports filtering by time range using startTime (lower bound) and endTime (upper bound), as well as filtering by event type and user.
Request Parameters
orgNamestring path requiredThe organization namecontinuationTokenstring query optionalToken for paginated result retrievalendTimeinteger query optionalUpper bound of the query range (unix timestamp)eventFilterstring query optionalFilter audit logs by event typeformatstring query optionalResponse format: ‘cef’ or ‘csv’ (defaults to csv)startTimeinteger query optionalLower bound of the query range (unix timestamp)userFilterstring query optionalFilter audit logs by username
Responses
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.