最近更新时间:2023.11.13 16:31:38
首次发布时间:2023.05.30 17:38:56
通过 IAM 用户使用日志服务前,应先通过火山引擎账号为 IAM 用户授予相关的访问权限,日志服务支持自定义的权限策略,本文档介绍日志服务各种常见场景下的自定义访问策略示例。
功能模块 | 访问策略示例 |
|---|---|
数据采集 | |
日志检索 | |
消费与投递 |
被授予以下权限策略后,IAM 用户可以通过 OpenAPI PutLogs 上传日志数据到指定日志项目。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:PutLogs" ], "Resource": [ "trn:tls:*:*:project/eec15404-df0d-407f-a1eb-845c5f1fxxxx/topic/*" ] } ] }
被授予以下权限策略后,IAM 用户可以创建并管理 Trace 实例、将采集到的 Trace 数据写入对应的日志主题、通过 API 检索分析 Trace 数据。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:CreateIndex", "tls:CreateTopic", "tls:PutLogs", "tls:ModifyIndex", "tls:ModifyTopic", "tls:DescribeTopic", "tls:CreateTraceInstance", "tls:ModifyTraceInstance", "tls:DeleteTraceInstance", "tls:DescribeTraceInstance", "tls:DescribeTraceInstances", "tls:SearchLogs" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以通过 OpenAPI SearchLogs 检索日志数据。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:SearchLogs" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以通过日志消费相关的 OpenAPI 接口消费日志数据,并通过控制台查看消费进度、重置消费位点。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProject", "tls:DescribeProjects", "tls:DescribeTopic", "tls:DescribeTopics", "tls:DescribeIndex", "tls:DescribeShards", "tls:DescribeCursor", "tls:ConsumeLogs", "tls:CreateConsumerGroup", "tls:DeleteConsumerGroup", "tls:ModifyConsumerGroup", "tls:DescribeConsumerGroups", "tls:ConsumerHeartbeat", "tls:DescribeCheckPoint", "tls:ModifyCheckPoint" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以通过日志服务控制台创建 Kakfa 投递任务,将指定日志主题的数据投递到同一 火山引擎账号、同一 Region 的消息队列 Kafka 实例中。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeTopics", "tls:DescribeShippers", "tls:DescribeProject", "tls:DescribeIndex", "tls:DescribeTopic", "tls:CreateShipper", "tls:ModifyShipper", "tls:DeleteShipper", "tls:DescribeShipper", "tls:DescribeShipperTasks", "tls:RetryShipperTask", "kafka:DescribeInstances", "kafka:DescribeTopics" ], "Resource": [ "*" ] } ] }