- Release Notes and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Collection Overview
- Collection by LogListener
- Uploading Logs via Kafka
- Uploading Logs via Logback Appender
- Uploading Logs via Loghub log4j Appender
- Collection via SDK
- Importing Data
- Tencent Cloud Service Log Access
- Log Storage
- Log Search and Analytic
- Overview and Syntax Rules
- Configuring Indexes
- Analysis Syntax
- Analytic Functions
- String Function
- Date and Time Function
- IP Geographic Function
- URL Function
- Mathematical Calculation Function
- Mathematical Statistical Function
- General Aggregate Function
- Geospatial Function
- Binary String Function
- Estimation Function
- Type Conversion Function
- Logical Function
- Operator
- Bitwise Operation
- Regular Expression Function
- Lambda Function
- Conditional Expressions
- Array Function
- Interval-Valued Comparison and Periodicity-Valued Comparison Functions
- JSON Functions
- Window Functions
- Quick Analysis
- Context Search and Analysis
- Downloading Log
- Dashboard
- Log Shipping
- Monitoring Alarm
- Function Processing
- Historical Documentation
- Best Practices
- Developer Guide
- API Documentation
- History
- API Category
- Making API Requests
- Log Topic APIs
- Logset APIs
- Topic Partition APIs
- Collection APIs
- Index APIs
- Log APIs
- Alarm Policy APIs
- Collection Configuration APIs
- COS Shipping Task APIs
- CKafka Shipping Task APIs
- Native Kafka Production and Consumption APIs
- Data Types
- Error Codes
- CLS API 2017
- Request Signature
- API Overview
- Collection Configuration
- Consumption Management
- Common Request Headers
- Common Response Headers
- Log Management
- Logset Management
- Log Topic Management
- Shipping Task Management (COS)
- Shipping Task Management (SCF)
- Shipping Task Management (CKafka)
- Machine Group Management
- Consumption Management
- Index Management
- Error Codes
- FAQs
- Service Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Collection Overview
- Collection by LogListener
- Uploading Logs via Kafka
- Uploading Logs via Logback Appender
- Uploading Logs via Loghub log4j Appender
- Collection via SDK
- Importing Data
- Tencent Cloud Service Log Access
- Log Storage
- Log Search and Analytic
- Overview and Syntax Rules
- Configuring Indexes
- Analysis Syntax
- Analytic Functions
- String Function
- Date and Time Function
- IP Geographic Function
- URL Function
- Mathematical Calculation Function
- Mathematical Statistical Function
- General Aggregate Function
- Geospatial Function
- Binary String Function
- Estimation Function
- Type Conversion Function
- Logical Function
- Operator
- Bitwise Operation
- Regular Expression Function
- Lambda Function
- Conditional Expressions
- Array Function
- Interval-Valued Comparison and Periodicity-Valued Comparison Functions
- JSON Functions
- Window Functions
- Quick Analysis
- Context Search and Analysis
- Downloading Log
- Dashboard
- Log Shipping
- Monitoring Alarm
- Function Processing
- Historical Documentation
- Best Practices
- Developer Guide
- API Documentation
- History
- API Category
- Making API Requests
- Log Topic APIs
- Logset APIs
- Topic Partition APIs
- Collection APIs
- Index APIs
- Log APIs
- Alarm Policy APIs
- Collection Configuration APIs
- COS Shipping Task APIs
- CKafka Shipping Task APIs
- Native Kafka Production and Consumption APIs
- Data Types
- Error Codes
- CLS API 2017
- Request Signature
- API Overview
- Collection Configuration
- Consumption Management
- Common Request Headers
- Common Response Headers
- Log Management
- Logset Management
- Log Topic Management
- Shipping Task Management (COS)
- Shipping Task Management (SCF)
- Shipping Task Management (CKafka)
- Machine Group Management
- Consumption Management
- Index Management
- Error Codes
- FAQs
- Service Agreement
- Contact Us
- Glossary
CLS Permission Overview
Last updated: 2022-02-21 12:26:48
This document introduces the authorization policies for CLS features and corresponding management and read-only permissions. You can configure the corresponding authorization policy statements based on the CLS features to be authorized.
Authorization Directions
You need to perform 3 steps: use the root account (CompanyExample) to create a custom policy, grant the sub-account (Developer) all permissions for the log topic (TopicA), and then access CLS using the sub-account (Developer). The procedure for creating a custom policy using the root account is as follows:
- Log in to the CAM console as the root account (
CompanyExample). - On the left sidebar, click Policies to go to the policy management page.
- Click Create Custom Policy.
- In the pop-up window, select Create by Policy Syntax.
- On the Create by Policy Syntax page, select Blank Template and click Next.
- On the policy editing page, set the policy name and content, and click Done.
For example, you can set the policy name toCLS-TopicA-Access. Configure the policy content by referring to the following:
Authorization Policy Statements for Data Collection
Authorize the minimum permission for log upload via LogListener
{
"version": "2.0",
"statement": [
{
"action": [
"cls:pushlog",
"cls:listLogset",
"cls:getConfig",
"cls:agentHeartBeat"
],
"resource": "*",
"effect": "allow"
}
]
}
Configure LogListener collection rules
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:ModifyConfig", "cls:DescribeIndex", "cls:DescribeIndex", "cls:ModifyIndex" ], "resource": [ "*" ], "effect": "allow" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:ModifyConfig", "cls:DescribeIndex", "cls:DescribeIndex", "cls:ModifyIndex" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } }, "effect": "allow" } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:DescribeIndex", "cls:DescribeIndex" ] "resource": [ "*" ], "effect": "allow" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:DescribeIndex", "cls:DescribeIndex" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Authorize the minimum permission for log upload via API
{
"version": "2.0",
"statement": [
{
"action": [
"cls:CreateTopic",
"cls:CreateLogset",
"cls:UploadLog",
],
"resource": "*",
"effect": "allow"
}
]
}
Authorization Policy Statements for Search and Analysis
Log search via console
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions", "cls:CreateAsyncContextTask", "cls:CreateAsyncSearchTask", "cls:CreateExport", "cls:CreateIndex", "cls:DeleteAsyncContextTask", "cls:DeleteAsyncSearchTask", "cls:DeleteExport", "cls:DeleteIndex", "cls:DeleteLogset", "cls:DeleteTopic", "cls:MergePartition", "cls:ModifyIndex", "cls:ModifyLogset", "cls:ModifyTopic", "cls:SplitPartition", "cls:deleteLogset", "cls:deleteTopic", "cls:downloadLog", "cls:modifyIndex", "cls:modifyLogset", "cls:modifyTopic", "cls:updatePartition", "cls:GetDeliverFunction", "cls:CreateLogset", "cls:CreateTopic", "cls:createLogset", "cls:createTopic" ], "resource": [ "*" ] } ] }Authorization for log topics with a specified tag
Note:During configuration, you also need to bind tags to log topics and logsets.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions", "cls:CreateAsyncContextTask", "cls:CreateAsyncSearchTask", "cls:CreateExport", "cls:CreateIndex", "cls:DeleteAsyncContextTask", "cls:DeleteAsyncSearchTask", "cls:DeleteExport", "cls:DeleteIndex", "cls:DeleteLogset", "cls:DeleteTopic", "cls:MergePartition", "cls:ModifyIndex", "cls:ModifyLogset", "cls:ModifyTopic", "cls:SplitPartition", "cls:deleteLogset", "cls:deleteTopic", "cls:downloadLog", "cls:modifyIndex", "cls:modifyLogset", "cls:modifyTopic", "cls:updatePartition", "cls:GetDeliverFunction" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } } ] }
Read-only permission
Authorization for log topics with a specified tag
Note:During configuration, you also need to bind tags to log topics and logsets.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions" ], "resource": [ "*" ] } ] }
Visual dashboard
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart", "cls:CreateChart", "cls:CreateDashboard", "cls:DeleteChart", "cls:DeleteDashboard", "cls:ModifyChart", "cls:ModifyDashboard", "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart", "cls:CreateChart", "cls:DeleteChart", "cls:DeleteDashboard", "cls:ModifyChart", "cls:ModifyDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Authorization Policy Statements for Monitoring Alarms
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ] }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:CreateAlarm", "cls:ModifyAlarm", "cls:DeleteAlarm", "cls:DescribeAlarmNotices", "cls:CreateAlarmNotice", "cls:ModifyAlarmNotice", "cls:DeleteAlarmNotice", "cam:ListGroups", "cam:DescribeSubAccountContacts", "cls:GetAlarmLog", "cls:DescribeAlertRecordHistory", "cls:CheckAlarmRule", "cls:CheckAlarmChannel" ], "resource": "*" } ] }Authorization for log topics with a specified tag (monitoring alarms currently do not fully support permission management by tag)
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:CreateAlarm", "cls:ModifyAlarm", "cls:DeleteAlarm", "cls:DescribeAlarmNotices", "cls:CreateAlarmNotice", "cls:ModifyAlarmNotice", "cls:DeleteAlarmNotice", "cam:ListGroups", "cam:DescribeSubAccountContacts", "cls:GetAlarmLog", "cls:DescribeAlertRecordHistory", "cls:CheckAlarmRule", "cls:CheckAlarmChannel" ], "resource": "*" } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ] }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:DescribeAlarmNotices", "cls:GetAlarmLog", "cls:DescribeAlertRecordHistory", "cam:ListGroups", "cam:DescribeSubAccountContacts" ], "resource": "*" } ] }Authorization for log topics with a specified tag (monitoring alarms currently do not fully support permission management by tag)
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:DescribeAlarmNotices", "cls:GetAlarmLog", "cls:DescribeAlertRecordHistory", "cam:ListGroups", "cam:DescribeSubAccountContacts" ], "resource": "*" } ] }
Authorization Policy Statements for Data Shipping
Shipping to CKafka
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:modifyConsumer", "cls:getConsumer" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "age&13", "name&vinson" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:modifyConsumer", "cls:getConsumer" ], "resource": "*" } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:getConsumer" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:getConsumer" ], "resource": "*" } ] }
Shipping to COS
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets", "cls:DescribeIndex" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:CreateShipper", "cls:ModifyShipper", "cls:DescribeShippers", "cls:DeleteShipper", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies", "cos:GetService", ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets", "cls:DescribeIndex" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:CreateShipper", "cls:ModifyShipper", "cls:DescribeShippers", "cls:DeleteShipper", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies", "cos:GetService", ], "resource": "*" } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:DescribeShippers", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:DescribeShippers", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies" ], "resource": "*" } ] }
Shipping to SCF
Management permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:CreateDeliverFunction", "cls:DeleteDeliverFunction", "cls:ModifyDeliverFunction", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:CreateDeliverFunction", "cls:DeleteDeliverFunction", "cls:ModifyDeliverFunction", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }
Read-only permission
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }
Authorization Policy Statements for Developers
Permission to display on Grafana
Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:searchLog" ], "resource": [ "*" ] } ] }Authorization for log topics of a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:searchLog" ], "resource": [ "*" ], "condition": { "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } } ] }
Yes
No
Was this page helpful?