You need to enable JavaScript to run this app.
导航
自定义的权限策略示例
最近更新时间:2024.12.05 11:53:30首次发布时间:2023.05.30 17:38:56

通过 IAM 用户使用日志服务前,应先通过火山引擎账号为 IAM 用户授予相关的访问权限,日志服务支持自定义的权限策略,本文档介绍日志服务各种常见场景下的自定义访问策略示例。

功能模块

访问策略示例

基础资源

数据采集

检索分析

仪表盘

管理仪表盘

告警

管理告警策略和通知组

数据处理

管理数据加工任务

消费与投递

对所有日志主题具备 TOS 投递管理权限

数据导入

数据导入

基础资源

查看日志项目信息

被授予以下权限策略后,IAM 用户可以查看当前账号下所有的日志项目信息。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects"
            ],
            "Resource": [
                "trn:tls:*:*:project/*"
            ]
        }
    ]
}

收藏日志服务资源

被授予以下权限策略后,IAM 用户可以收藏指定的日志服务资源。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateSavedSearch",
                "tls:DescribeSavedSearches",
                "tls:DeleteSavedSearch"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

管理日志项目和日志主题

被授予以下权限策略后,IAM 用户可以管理当前账号下所有的日志项目、日志主题,包括创建、查询、删除、更新日志主题和日志项目。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateProject",
                "tls:CreateTopic",
                "tls:PutLogs",
                "tls:WebTracks",
                "tls:DeleteTopic",
                "tls:ModifyTopic",
                "tls:DescribeDownloadTasks",
                "tls:DescribeShards",
                "tls:DescribeTopic",
                "tls:DescribeTopics",
                "tls:DeleteProject",
                "tls:ModifyProject",
                "tls:DescribeProject",
                "tls:DescribeConsumerGroups",
                "tls:DescribeProjects",
                "tls:DescribeRules"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

数据采集

采集访问密钥配置

LogCollector 采集配置相关的访问密钥需至少具备如下权限。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:PutLogs",
                "tls:GetLogCollectorConfig",
                "tls:LogCollectorHeartbeat"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

采集 Trace 数据

被授予以下权限策略后,IAM 用户可以管理 Trace 实例、将采集到的 Trace 数据写入对应的日志主题、通过 API 检索分析 Trace 数据。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateIndex",
                "tls:CreateTopic",
                "tls:PutLogs",
                "tls:ModifyIndex",
                "tls:ModifyTopic",
                "tls:DescribeTopic",
                "tls:CreateTraceInstance",
                "tls:ModifyTraceInstance",
                "tls:DeleteTraceInstance",
                "tls:DescribeTraceInstance",
                "tls:DescribeTraceInstances",
                "tls:SearchLogs"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

管理采集配置及机器组

被授予以下权限策略后,IAM 用户可以管理采集配置和机器组,包括查询日志项目列表、日志主题列表;创建、删除、修改和查询采集配置或机器组;绑定、解绑采集配置到机器组等。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateRule",
                "tls:DeleteRule",
                "tls:ModifyRule",
                "tls:DescribeRule",
                "tls:DescribeRules",
                "tls:ApplyRuleToHostGroups",
                "tls:DeleteRuleFromHostGroups",
                "tls:CreateHostGroup",
                "tls:DeleteHostGroup",
                "tls:ModifyHostGroup",
                "tls:DescribeHostGroup",
                "tls:DescribeHostGroups",
                "tls:DescribeHosts",
                "tls:DeleteHost",
                "tls:DescribeHostGroupRules",
                "tls:ModifyHostGroupsAutoUpdate",
                "tls:DeleteAbnormalHosts"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

检索分析

检索分析日志

被授予以下权限策略后,IAM 用户可以通过 OpenAPI 或控制台检索日志数据。本示例指定 IAM 用户只能检索分析北京地域下 c425****83d7 日志项目中的 6b30****4888 日志主题。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:SearchLogs",
                "tls:DescribeIndex",
                "tls:DescribeSavedSearches",
                "tls:DescribeHistogram",
                "tls:DescribeHistogramV1"
            ],
            "Resource": [
                "trn:tls:cn-beijing:21****96:project/c425****83d7/topic/6b30****4888"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateSavedSearch",
                "tls:DescribeSavedSearches",
                "tls:DeleteSavedSearch"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

检索模块的所有权限

被授予以下权限策略后,IAM 用户可以管理索引、检索日志、下载日志等检索相关的权限。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeIndex",
                "tls:CreateIndex",
                "tls:DeleteIndex",
                "tls:ModifyIndex",
                "tls:SearchLogs",
                "tls:DescribeHistogram",
                "tls:DescribeHistogramV1",
                "tls:DescribeLogContext"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateDownloadTask",
                "tls:DescribeDownloadTasks",
                "tls:DescribeDownloadUrl",
                "tls:CancelDownloadTask"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateSavedSearch",
                "tls:DescribeSavedSearches",
                "tls:DeleteSavedSearch"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

TLS Copilot

被授予以下权限策略后,IAM 用户可以使用 TLS Copilot 功能。

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "tls:CreateAppInstance",
        "tls:DescribeAppInstances",
        "tls:CreateAppSceneMeta",
        "tls:DescribeAppSceneMetas",
        "tls:ModifyAppSceneMetaReq",
        "tls:DeleteAppSceneMeta",
        "tls:DescribeSessionAnswer"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

仪表盘

管理仪表盘

被授予以下权限策略后,IAM 用户可以管理当前账号下所有的仪表盘,包括创建、删除、修改以及查询仪表盘等操作。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateDashboard",
                "tls:DeleteDashboard",
                "tls:ModifyDashboard",
                "tls:DescribeDashboard",
                "tls:DescribeDashboards"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

告警

管理告警策略和通知组

被授予以下权限策略后,IAM 用户可以管理当前账号下所有的告警策略和通知组,包括查询日志项目和日志主题;创建、删除、修改、查询告警策略和通知组等操作。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic",
                "tls:SearchLogs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateAlarmNotifyGroup",
                "tls:DeleteAlarmNotifyGroup",
                "tls:DescribeAlarmNotifyGroups",
                "tls:ModifyAlarmNotifyGroup",
                "tls:DescribeAlarmNotifyGroup",
                "tls:CreateAlarm",
                "tls:DeleteAlarm",
                "tls:DescribeAlarms",
                "tls:DescribeAlarm",
                "tls:ModifyAlarm",
                "tls:DescribeAlarmLogs",
                "tls:ManualTriggerAlarm",
                "tls:DescribeManualTriggerAlarmTask",
                "tls:ModifyAlarmIncident",
                "tls:DescribeAlarmIncident",
                "tls:DisableAlarm",
                "tls:EnableAlarm",
                "tls:CreateAlarmContentTemplate",
                "tls:DeleteAlarmContentTemplate",
                "tls:DescribeAlarmContentTemplates",
                "tls:ModifyAlarmContentTemplate",
                "tls:CreateAlarmWebhookIntegration",
                "tls:DeleteAlarmWebhookIntegration",
                "tls:DescribeAlarmWebhookIntegrations",
                "tls:ModifyAlarmWebhookIntegration"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

数据处理

管理数据加工任务

被授予以下权限策略后,IAM 用户可以管理当前账号下所有的数据加工任务,包括查询日志项目和日志主题;创建、删除、修改和查询数据加工任务等操作。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic",
                "tls:SearchLogs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateETLTask",
                "tls:DeleteETLTask",
                "tls:DescribeETLFunctions",
                "tls:DescribeETLLogDataInfo",
                "tls:DescribeETLPreviewDataInfo",
                "tls:DescribeETLTask",
                "tls:DescribeETLTasks",
                "tls:ModifyETLTask",
                "tls:ModifyETLTaskStatus"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

消费与投递

对所有日志主题具备 TOS 投递管理权限

被授予以下权限策略后,IAM 用户可以操作 TOS 投递功能,包括查询日志项目和日志主题;创建、修改、查询、删除和重试投递任务。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeTopics",
                "iam:Createrole",
                "tos:ListBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateShipper",
                "tls:DeleteShipper",
                "tls:DescribeShipper",
                "tls:DescribeShipperTasks",
                "tls:DescribeShippers",
                "tls:ModifyShipper",
                "tls:RetryShipperTask"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

数据导入

被授予以下权限策略后,IAM 用户可以管理当前账号下所有的数据导入任务,包括查询日志项目和日志主题;创建、删除、修改和查询数据导入任务等操作。

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "tls:DescribeProjects",
                "tls:DescribeProject",
                "tls:DescribeTopics",
                "tls:DescribeTopic",
                "tos:ListBuckets",
                "tos:ListBucket"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "tls:CreateImportTask",
                "tls:DeleteImportTask",
                "tls:DescribeImportTask",
                "tls:DescribeImportTasks",
                "tls:ModifyImportTask",
                "tls:PreviewImportTask"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}