Attribute Vocabulary

Attributes are a central concept used throughout Istio. You can find a description of what attributes are and what they are used for here.

A given Istio deployment has a fixed vocabulary of attributes that it understands. The specific vocabulary is determined by the set of attribute producers being used in the deployment. The primary attribute producer in Istio is Envoy, although Mixer and services can also introduce attributes.

Standard Istio attribute vocabulary

The table below shows the set of canonical attributes and their respective types. Most Istio deployments will have agents (Envoy or Mixer adapters) that produce these attributes.

NameTypeDescriptionKubernetes Example
source.ipip_addressClient IP address.10.0.0.117
source.servicestringThe fully qualified name of the service that the client belongs to.redis-master.my-namespace.svc.cluster.local
source.namestringThe short name part of the source service.redis-master
source.namespacestringThe namespace part of the source service.my-namespace
source.domainstringThe domain suffix part of the source service, excluding the name and the namespace.svc.cluster.local
source.uidstringPlatform-specific unique identifier for the client instance of the source service.kubernetes://redis-master-2353460263-1ecey.my-namespace
source.labelsmap[string, string]A map of key-value pairs attached to the client instance.version => v1
source.userstringThe identity of the immediate sender of the request, authenticated by mTLS.service-account-foo
destination.ipip_addressServer IP address.10.0.0.104
destination.portint64The recipient port on the server IP address.8080
destination.servicestringThe fully qualified name of the service that the server belongs to.my-svc.my-namespace.svc.cluster.local
destination.namestringThe short name part of the destination service.my-svc
destination.namespacestringThe namespace part of the destination service.my-namespace
destination.domainstringThe domain suffix part of the destination service, excluding the name and the namespace.svc.cluster.local
destination.uidstringPlatform-specific unique identifier for the server instance of the destination service.kubernetes://my-svc-234443-5sffe.my-namespace
destination.labelsmap[string, string]A map of key-value pairs attached to the server instance.version => v2
destination.userstringThe user running the destination application.service-account
request.headersmap[string, string]HTTP request headers. 
request.idstringAn ID for the request with statistically low probability of collision. 
request.pathstringThe HTTP URL path including query string 
request.hoststringHTTP/1.x host header or HTTP/2 authority header.redis-master:3337
request.methodstringThe HTTP method. 
request.reasonstringThe request reason used by auditing systems. 
request.refererstringThe HTTP referer header. 
request.schemestringURI Scheme of the request 
request.sizeint64Size of the request in bytes. For HTTP requests this is equivalent to the Content-Length header. 
request.timetimestampThe timestamp when the destination receives the request. This should be equivalent to Firebase “now”. 
request.useragentstringThe HTTP User-Agent header. 
response.headersmap[string, string]HTTP response headers. 
response.sizeint64Size of the response body in bytes 
response.timetimestampThe timestamp when the destination produced the response. 
response.durationdurationThe amount of time the response took to generate. 
response.codeint64The response’s HTTP status code. 
connection.idstringAn ID for a TCP connection with statistically low probability of collision. 
connection.received.bytesint64Number of bytes received by a destination service on a connection since the last Report() for a connection. 
connection.received.bytes_totalint64Total number of bytes received by a destination service during the lifetime of a connection. 
connection.sent.bytesint64Number of bytes sent by a destination service on a connection since the last Report() for a connection. 
connection.sent.bytes_totalint64Total number of bytes sent by a destination service during the lifetime of a connection. 
connection.durationdurationThe total amount of time a connection has been open. 
context.protocolstringProtocol of the request or connection being proxied.tcp
context.timetimestampThe timestamp of Mixer operation. 
api.servicestringThe public service name. This is different than the in-mesh service identity and reflects the name of the service exposed to the client.my-svc.com
api.versionstringThe API version.v1alpha1
api.operationstringUnique string used to identify the operation. The id is unique among all operations described in a specific <service, version>.getPetsById
api.protocolstringThe protocol type of the API call. Mainly for monitoring/analytics. Note that this is the frontend protocol exposed to the client, not the protocol implemented by the backend service.“http”, “https”, or “grpc”
request.auth.principalstringThe authenticated principal of the request. This is a string of the issuer (iss) and subject (sub) claims within a JWT concatenated with “/” with a percent-encoded subject value.accounts.my-svc.com/104958560606
request.auth.audiencesstringThe intended audience(s) for this authentication information. This should reflect the audience (aud) claim within a JWT.[‘my-svc.com’, ‘scopes/read’]
request.auth.presenterstringThe authorized presenter of the credential. This value should reflect the optional Authorized Presenter (azp) claim within a JWT or the OAuth2 client id.123456789012.my-svc.com