通过 IAM 用户使用日志服务前,应先通过火山引擎账号为 IAM 用户授予相关的访问权限,日志服务支持自定义的权限策略,本文档介绍日志服务各种常见场景下的自定义访问策略示例。
功能模块 | 访问策略示例 |
|---|---|
基础资源 | |
数据采集 | |
检索分析 | |
仪表盘 | |
告警 | |
数据处理 | |
消费与投递 | |
数据导入 |
被授予以下权限策略后,IAM 用户可以查看当前账号下所有的日志项目信息。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects" ], "Resource": [ "trn:tls:*:*:project/*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理当前账号下所有的日志项目、日志主题,包括创建、查询、删除、更新日志主题和日志项目。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:CreateProject", "tls:CreateTopic", "tls:PutLogs", "tls:WebTracks", "tls:DeleteTopic", "tls:ModifyTopic", "tls:DescribeDownloadTasks", "tls:DescribeShards", "tls:DescribeTopic", "tls:DescribeTopics", "tls:DeleteProject", "tls:ModifyProject", "tls:DescribeProject", "tls:DescribeConsumerGroups", "tls:DescribeProjects", "tls:DescribeRules" ], "Resource": [ "*" ] } ] }
LogCollector 采集配置相关的访问密钥需至少具备如下权限。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:PutLogs", "tls:GetLogCollectorConfig", "tls:LogCollectorHeartbeat" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理 Trace 实例、将采集到的 Trace 数据写入对应的日志主题、通过 API 检索分析 Trace 数据。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:CreateIndex", "tls:CreateTopic", "tls:PutLogs", "tls:ModifyIndex", "tls:ModifyTopic", "tls:DescribeTopic", "tls:CreateTraceInstance", "tls:ModifyTraceInstance", "tls:DeleteTraceInstance", "tls:DescribeTraceInstance", "tls:DescribeTraceInstances", "tls:SearchLogs" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理采集配置和机器组,包括查询日志项目列表、日志主题列表;创建、删除、修改和查询采集配置或机器组;绑定、解绑采集配置到机器组等。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateRule", "tls:DeleteRule", "tls:ModifyRule", "tls:DescribeRule", "tls:DescribeRules", "tls:ApplyRuleToHostGroups", "tls:DeleteRuleFromHostGroups", "tls:CreateHostGroup", "tls:DeleteHostGroup", "tls:ModifyHostGroup", "tls:DescribeHostGroup", "tls:DescribeHostGroups", "tls:DescribeHosts", "tls:DeleteHost", "tls:DescribeHostGroupRules", "tls:ModifyHostGroupsAutoUpdate", "tls:DeleteAbnormalHosts" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以通过 OpenAPI 或控制台检索日志数据。本示例指定 IAM 用户只能检索分析北京地域下 c425****83d7 日志项目中的 6b30****4888 日志主题。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:SearchLogs", "tls:DescribeIndex", "tls:DescribeSavedSearches", "tls:DescribeHistogram", "tls:DescribeHistogramV1" ], "Resource": [ "trn:tls:cn-beijing:21****96:project/c425****83d7/topic/6b30****4888" ] }, { "Effect": "Allow", "Action": [ "tls:CreateSavedSearch", "tls:DescribeSavedSearches", "tls:DeleteSavedSearch" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理索引、检索日志、下载日志等检索相关的权限。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:DescribeIndex", "tls:CreateIndex", "tls:DeleteIndex", "tls:ModifyIndex", "tls:SearchLogs", "tls:DescribeHistogram", "tls:DescribeHistogramV1", "tls:DescribeLogContext" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateDownloadTask", "tls:DescribeDownloadTasks", "tls:DescribeDownloadUrl", "tls:CancelDownloadTask" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateSavedSearch", "tls:DescribeSavedSearches", "tls:DeleteSavedSearch" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以使用 TLS Copilot 功能。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:CreateAppInstance", "tls:DescribeAppInstances", "tls:CreateAppSceneMeta", "tls:DescribeAppSceneMetas", "tls:ModifyAppSceneMetaReq", "tls:DeleteAppSceneMeta", "tls:DescribeSessionAnswer" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理当前账号下所有的仪表盘,包括创建、删除、修改以及查询仪表盘等操作。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:CreateDashboard", "tls:DeleteDashboard", "tls:ModifyDashboard", "tls:DescribeDashboard", "tls:DescribeDashboards" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理当前账号下所有的告警策略和通知组,包括查询日志项目和日志主题;创建、删除、修改、查询告警策略和通知组等操作。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic", "tls:SearchLogs" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateAlarmNotifyGroup", "tls:DeleteAlarmNotifyGroup", "tls:DescribeAlarmNotifyGroups", "tls:ModifyAlarmNotifyGroup", "tls:DescribeAlarmNotifyGroup", "tls:CreateAlarm", "tls:DeleteAlarm", "tls:DescribeAlarms", "tls:DescribeAlarm", "tls:ModifyAlarm", "tls:DescribeAlarmLogs", "tls:ManualTriggerAlarm", "tls:DescribeManualTriggerAlarmTask", "tls:ModifyAlarmIncident", "tls:DescribeAlarmIncident", "tls:DisableAlarm", "tls:EnableAlarm", "tls:CreateAlarmContentTemplate", "tls:DeleteAlarmContentTemplate", "tls:DescribeAlarmContentTemplates", "tls:ModifyAlarmContentTemplate", "tls:CreateAlarmWebhookIntegration", "tls:DeleteAlarmWebhookIntegration", "tls:DescribeAlarmWebhookIntegrations", "tls:ModifyAlarmWebhookIntegration" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理当前账号下所有的数据加工任务,包括查询日志项目和日志主题;创建、删除、修改和查询数据加工任务等操作。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic", "tls:SearchLogs" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateETLTask", "tls:DeleteETLTask", "tls:DescribeETLFunctions", "tls:DescribeETLLogDataInfo", "tls:DescribeETLPreviewDataInfo", "tls:DescribeETLTask", "tls:DescribeETLTasks", "tls:ModifyETLTask", "tls:ModifyETLTaskStatus" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以操作 TOS 投递功能,包括查询日志项目和日志主题;创建、修改、查询、删除和重试投递任务。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeTopics", "iam:Createrole", "tos:ListBuckets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateShipper", "tls:DeleteShipper", "tls:DescribeShipper", "tls:DescribeShipperTasks", "tls:DescribeShippers", "tls:ModifyShipper", "tls:RetryShipperTask" ], "Resource": [ "*" ] } ] }
被授予以下权限策略后,IAM 用户可以管理当前账号下所有的数据导入任务,包括查询日志项目和日志主题;创建、删除、修改和查询数据导入任务等操作。
{ "Statement": [ { "Effect": "Allow", "Action": [ "tls:DescribeProjects", "tls:DescribeProject", "tls:DescribeTopics", "tls:DescribeTopic", "tos:ListBuckets", "tos:ListBucket" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateImportTask", "tls:DeleteImportTask", "tls:DescribeImportTask", "tls:DescribeImportTasks", "tls:ModifyImportTask", "tls:PreviewImportTask" ], "Resource": [ "*" ] } ] }