R2 Object Access Log

I checked R2 documentation about Audit Logs. But It only record Delete/Create/Put logs.
Right now I have several buckets with several specify bucket read only API Tokens.
Is it possible to record which token downloaded what object and when? Thanks.

You’d have to collect them some other way. You could use a Cloudflare Worker with its own Auth (something like hmac potentially Sign requests · Cloudflare Workers docs) and then push the access logs anywhere you’d like, or if you were Enterprise you could use HTTP Logpush, the HMAC Firewall function (Require a valid HMAC token · Cloudflare Web Application Firewall (WAF) docs) and an R2 Custom Domain to avoid paying for Worker Invocations.

Otherwise, nothing native.

If you avoid paying for worker invocations and use a custom domain for R2 access, you’ll start paying for CDN bandwidth instead, which is likely much more expensive.

I’m also looking for raw R2 access logs since we just did the reverse of the above and went from hmac verification and a custom domain to raw pre-signed R2 urls.