The sub-account Developer of the master account CompanyExample needs to have permission to view the log topic TopicA (including log search, analysis, dashboard and alarm) under CompanyExample via the console and API.
You need to perform 3 steps: first use master account CompanyExample to create a custom policy and grant sub-account Developer permission to view the log topic TopicA, and then, use sub-account Developer to access CLS services.
Use the master account to create a custom policy
{
"version": "2.0",
"statement": [
{
"action": [
"cls:get*",
"cls:list*",
"cls:GetHistogram",
"cls:GetFastAnalysis",
"cls:GetChart",
"cls:GetDashboard",
"cls:searchLog",
"cls:downloadLog",
"cls:pullLogs",
"cls:GetAccount",
"cls:GetResource",
"cls:GetAlarm"
],
"resource": "qcs::cls:ap-shanghai:uin/100004375281:topic/3ea3ea1c-64ad-47af-b92a-75a98d123456",
"effect": "allow"
},
{
"effect": "allow",
"action": [
"monitor:Get*",
"monitor:Describe*",
"cam:ListAttachedRolePolicies",
"cls:list*"
],
"resource": "*"
}
]
}
Note:
Replace the
resource
field with your actual region, master account UIN, and log topic ID.
Authorize by the master account
Access by the sub-account
The sub-account Developer can access CLS services via both the console and API. To make API calls, you need to provide UIN of master account CompanyExample, together with SecretId and SecretKey of sub-account Developer. See Access Key for sub-account API key.
Was this page helpful?