This document introduces the authorization policies for CLS features and corresponding management and read-only permissions. You can configure the corresponding authorization policy statements based on the CLS features to be authorized.
You need to perform 3 steps: use the root account (CompanyExample
) to create a custom policy, grant the sub-account (Developer
) all permissions for the log topic (TopicA
), and then access CLS using the sub-account (Developer
). The procedure for creating a custom policy using the root account is as follows:
CompanyExample
).CLS-TopicA-Access
. Configure the policy content by referring to the following:{
"version": "2.0",
"statement": [
{
"action": [
"cls:pushlog",
"cls:listLogset",
"cls:getConfig",
"cls:agentHeartBeat"
],
"resource": "*",
"effect": "allow"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"action": [
"cls:DescribeLogsets",
"cls:DescribeConfigs",
"cls:ModifyConfig",
"cls:DescribeIndex",
"cls:DescribeIndex",
"cls:ModifyIndex"
],
"resource": [
"*"
],
"effect": "allow"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"action": [
"cls:DescribeLogsets",
"cls:DescribeConfigs",
"cls:ModifyConfig",
"cls:DescribeIndex",
"cls:DescribeIndex",
"cls:ModifyIndex"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
},
"effect": "allow"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"action": [
"cls:DescribeLogsets",
"cls:DescribeConfigs",
"cls:DescribeIndex",
"cls:DescribeIndex"
]
"resource": [
"*"
],
"effect": "allow"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeLogsets",
"cls:DescribeConfigs",
"cls:DescribeIndex",
"cls:DescribeIndex"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
}
]
}
{
"version": "2.0",
"statement": [
{
"action": [
"cls:CreateTopic",
"cls:CreateLogset",
"cls:UploadLog",
],
"resource": "*",
"effect": "allow"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeAsyncContextResult",
"cls:DescribeAsyncSearchResult",
"cls:DescribeExports",
"cls:DescribeIndex",
"cls:DescribeLatestJsonLog",
"cls:DescribeLogContext",
"cls:DescribeLogFastAnalysis",
"cls:DescribeLogHistogram",
"cls:DescribePartitions",
"cls:DescribeTopics",
"cls:GetFastAnalysis",
"cls:GetHistogram",
"cls:GetLog",
"cls:SearchLog",
"cls:ShowContext",
"cls:getIndex",
"cls:getLogset",
"cls:getTopic",
"cls:searchLog",
"cls:DescribeAsyncContextTasks",
"cls:DescribeAsyncSearchTasks",
"cls:DescribeLogsets",
"cls:listLogset",
"cls:listTopic",
"cls:listPartitions",
"cls:CreateAsyncContextTask",
"cls:CreateAsyncSearchTask",
"cls:CreateExport",
"cls:CreateIndex",
"cls:DeleteAsyncContextTask",
"cls:DeleteAsyncSearchTask",
"cls:DeleteExport",
"cls:DeleteIndex",
"cls:DeleteLogset",
"cls:DeleteTopic",
"cls:MergePartition",
"cls:ModifyIndex",
"cls:ModifyLogset",
"cls:ModifyTopic",
"cls:SplitPartition",
"cls:deleteLogset",
"cls:deleteTopic",
"cls:downloadLog",
"cls:modifyIndex",
"cls:modifyLogset",
"cls:modifyTopic",
"cls:updatePartition",
"cls:GetDeliverFunction",
"cls:CreateLogset",
"cls:CreateTopic",
"cls:createLogset",
"cls:createTopic"
],
"resource": [
"*"
]
}
]
}
Authorization for log topics with a specified tag
Note:During configuration, you also need to bind tags to log topics and logsets.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeAsyncContextResult",
"cls:DescribeAsyncSearchResult",
"cls:DescribeExports",
"cls:DescribeIndex",
"cls:DescribeLatestJsonLog",
"cls:DescribeLogContext",
"cls:DescribeLogFastAnalysis",
"cls:DescribeLogHistogram",
"cls:DescribePartitions",
"cls:DescribeTopics",
"cls:GetFastAnalysis",
"cls:GetHistogram",
"cls:GetLog",
"cls:SearchLog",
"cls:ShowContext",
"cls:getIndex",
"cls:getLogset",
"cls:getTopic",
"cls:searchLog",
"cls:DescribeAsyncContextTasks",
"cls:DescribeAsyncSearchTasks",
"cls:DescribeLogsets",
"cls:listLogset",
"cls:listTopic",
"cls:listPartitions",
"cls:CreateAsyncContextTask",
"cls:CreateAsyncSearchTask",
"cls:CreateExport",
"cls:CreateIndex",
"cls:DeleteAsyncContextTask",
"cls:DeleteAsyncSearchTask",
"cls:DeleteExport",
"cls:DeleteIndex",
"cls:DeleteLogset",
"cls:DeleteTopic",
"cls:MergePartition",
"cls:ModifyIndex",
"cls:ModifyLogset",
"cls:ModifyTopic",
"cls:SplitPartition",
"cls:deleteLogset",
"cls:deleteTopic",
"cls:downloadLog",
"cls:modifyIndex",
"cls:modifyLogset",
"cls:modifyTopic",
"cls:updatePartition",
"cls:GetDeliverFunction"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"testCAM&test1"
]
}
}
}
]
}
Authorization for log topics with a specified tag
Note:During configuration, you also need to bind tags to log topics and logsets.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeAsyncContextResult",
"cls:DescribeAsyncSearchResult",
"cls:DescribeExports",
"cls:DescribeIndex",
"cls:DescribeLatestJsonLog",
"cls:DescribeLogContext",
"cls:DescribeLogFastAnalysis",
"cls:DescribeLogHistogram",
"cls:DescribePartitions",
"cls:DescribeTopics",
"cls:GetFastAnalysis",
"cls:GetHistogram",
"cls:GetLog",
"cls:SearchLog",
"cls:ShowContext",
"cls:getIndex",
"cls:getLogset",
"cls:getTopic",
"cls:searchLog",
"cls:DescribeAsyncContextTasks",
"cls:DescribeAsyncSearchTasks",
"cls:DescribeLogsets",
"cls:listLogset",
"cls:listTopic",
"cls:listPartitions"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeAsyncContextResult",
"cls:DescribeAsyncSearchResult",
"cls:DescribeExports",
"cls:DescribeIndex",
"cls:DescribeLatestJsonLog",
"cls:DescribeLogContext",
"cls:DescribeLogFastAnalysis",
"cls:DescribeLogHistogram",
"cls:DescribePartitions",
"cls:DescribeTopics",
"cls:GetFastAnalysis",
"cls:GetHistogram",
"cls:GetLog",
"cls:SearchLog",
"cls:ShowContext",
"cls:getIndex",
"cls:getLogset",
"cls:getTopic",
"cls:searchLog",
"cls:DescribeAsyncContextTasks",
"cls:DescribeAsyncSearchTasks",
"cls:DescribeLogsets",
"cls:listLogset",
"cls:listTopic",
"cls:listPartitions"
],
"resource": [
"*"
]
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:GetChart",
"cls:GetDashboard",
"cls:ListChart",
"cls:CreateChart",
"cls:CreateDashboard",
"cls:DeleteChart",
"cls:DeleteDashboard",
"cls:ModifyChart",
"cls:ModifyDashboard",
"cls:ListDashboard"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:SearchLog",
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:GetChart",
"cls:GetDashboard",
"cls:ListChart",
"cls:CreateChart",
"cls:DeleteChart",
"cls:DeleteDashboard",
"cls:ModifyChart",
"cls:ModifyDashboard"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:ListDashboard"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:SearchLog",
"cls:DescribeTopics"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:GetChart",
"cls:GetDashboard",
"cls:ListChart"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:ListDashboard"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:SearchLog",
"cls:DescribeTopics"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:GetChart",
"cls:GetDashboard",
"cls:ListChart"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:ListDashboard"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"cls:SearchLog",
"cls:DescribeTopics"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeLogsets",
"cls:DescribeTopics"
],
"resource": [
"*"
]
},
{
"effect": "allow",
"action": [
"cls:DescribeAlarms",
"cls:CreateAlarm",
"cls:ModifyAlarm",
"cls:DeleteAlarm",
"cls:DescribeAlarmNotices",
"cls:CreateAlarmNotice",
"cls:ModifyAlarmNotice",
"cls:DeleteAlarmNotice",
"cam:ListGroups",
"cam:DescribeSubAccountContacts",
"cls:GetAlarmLog",
"cls:DescribeAlertRecordHistory",
"cls:CheckAlarmRule",
"cls:CheckAlarmChannel"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag (monitoring alarms currently do not fully support permission management by tag)
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeLogsets",
"cls:DescribeTopics"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"testCAM&test1"
]
}
}
},
{
"effect": "allow",
"action": [
"cls:DescribeAlarms",
"cls:CreateAlarm",
"cls:ModifyAlarm",
"cls:DeleteAlarm",
"cls:DescribeAlarmNotices",
"cls:CreateAlarmNotice",
"cls:ModifyAlarmNotice",
"cls:DeleteAlarmNotice",
"cam:ListGroups",
"cam:DescribeSubAccountContacts",
"cls:GetAlarmLog",
"cls:DescribeAlertRecordHistory",
"cls:CheckAlarmRule",
"cls:CheckAlarmChannel"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeLogsets",
"cls:DescribeTopics"
],
"resource": [
"*"
]
},
{
"effect": "allow",
"action": [
"cls:DescribeAlarms",
"cls:DescribeAlarmNotices",
"cls:GetAlarmLog",
"cls:DescribeAlertRecordHistory",
"cam:ListGroups",
"cam:DescribeSubAccountContacts"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag (monitoring alarms currently do not fully support permission management by tag)
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeLogsets",
"cls:DescribeTopics"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"testCAM&test1"
]
}
}
},
{
"effect": "allow",
"action": [
"cls:DescribeAlarms",
"cls:DescribeAlarmNotices",
"cls:GetAlarmLog",
"cls:DescribeAlertRecordHistory",
"cam:ListGroups",
"cam:DescribeSubAccountContacts"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*",
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"ckafka:DescribeInstances",
"ckafka:DescribeTopic",
"ckafka:DescribeInstanceAttributes",
"cls:modifyConsumer",
"cls:getConsumer"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"age&13",
"name&vinson"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"ckafka:DescribeInstances",
"ckafka:DescribeTopic",
"ckafka:DescribeInstanceAttributes",
"cls:modifyConsumer",
"cls:getConsumer"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"ckafka:DescribeInstances",
"ckafka:DescribeTopic",
"ckafka:DescribeInstanceAttributes",
"cls:getConsumer"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"ckafka:DescribeInstances",
"ckafka:DescribeTopic",
"ckafka:DescribeInstanceAttributes",
"cls:getConsumer"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets",
"cls:DescribeIndex"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cls:CreateShipper",
"cls:ModifyShipper",
"cls:DescribeShippers",
"cls:DeleteShipper",
"cls:DescribeShipperTasks",
"cls:RetryShipperTask",
"cam:ListAttachedRolePolicies",
"cos:GetService",
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets",
"cls:DescribeIndex"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cls:CreateShipper",
"cls:ModifyShipper",
"cls:DescribeShippers",
"cls:DeleteShipper",
"cls:DescribeShipperTasks",
"cls:RetryShipperTask",
"cam:ListAttachedRolePolicies",
"cos:GetService",
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets" ],
"resource": "*"
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cls:DescribeShippers",
"cls:DescribeShipperTasks",
"cls:RetryShipperTask",
"cam:ListAttachedRolePolicies"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets" ],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cls:DescribeShippers",
"cls:DescribeShipperTasks",
"cls:RetryShipperTask",
"cam:ListAttachedRolePolicies"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"cls:CreateDeliverFunction",
"cls:DeleteDeliverFunction",
"cls:ModifyDeliverFunction",
"cls:GetDeliverFunction",
"scf:ListFunctions",
"scf:ListAliases",
"scf:ListVersionByFunction"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"cls:CreateDeliverFunction",
"cls:DeleteDeliverFunction",
"cls:ModifyDeliverFunction",
"cls:GetDeliverFunction",
"scf:ListFunctions",
"scf:ListAliases",
"scf:ListVersionByFunction"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*"
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"cls:GetDeliverFunction",
"scf:ListFunctions",
"scf:ListAliases",
"scf:ListVersionByFunction"
],
"resource": "*"
}
]
}
Authorization for log topics with a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:DescribeTopics",
"cls:DescribeLogsets"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"key&value"
]
}
}
},
{
"effect": "allow",
"action": [
"tag:DescribeResourceTagsByResourceIds",
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"cam:ListAttachedRolePolicies",
"cls:GetDeliverFunction",
"scf:ListFunctions",
"scf:ListAliases",
"scf:ListVersionByFunction"
],
"resource": "*"
}
]
}
Authorization for all log topics
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:searchLog"
],
"resource": [
"*"
]
}
]
}
Authorization for log topics of a specified tag
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cls:searchLog"
],
"resource": [
"*"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"testCAM&test1"
]
}
}
}
]
}
Was this page helpful?