- User Tutorial
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Log Collection
- Log Storage
- Log Search
- Log Analysis
- Log Shipping
- Log Consumption
- Permission Management
- CAM Access Authorization
- Resource List
- Action List
- Granting a Sub-account Permissions for CLS
- CLS Permission Overview
- Granting a Sub-account Full Permissions for CLS Resources
- Granting a Sub-account Read-only Permission for CLS Resources
- Granting a Sub-account Permissions for Embedded CLS Console
- Granting a Sub-account Full Permissions for a CLS Log Topic
- Granting a Sub-account Read-only Permission for a CLS Log Topic
- Granting a Sub-account Permissions to Collect Logs for a CLS Log Topic
- Monitoring Alarm
- Function Processing
- Developer Guide
- API Documentation
- History
- API Category
- Making API Requests
- Log Topic APIs
- Logset APIs
- Topic Partition APIs
- Collection APIs
- Index APIs
- Log APIs
- Alarm Policy APIs
- Collection Configuration APIs
- Shipping APIs
- Data Types
- Error Codes
- CLS API 2017
- FAQs
- Service Level Agreement
- Notices
- Appendix
- Contact Us
- Glossary
- User Tutorial
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Log Collection
- Log Storage
- Log Search
- Log Analysis
- Log Shipping
- Log Consumption
- Permission Management
- CAM Access Authorization
- Resource List
- Action List
- Granting a Sub-account Permissions for CLS
- CLS Permission Overview
- Granting a Sub-account Full Permissions for CLS Resources
- Granting a Sub-account Read-only Permission for CLS Resources
- Granting a Sub-account Permissions for Embedded CLS Console
- Granting a Sub-account Full Permissions for a CLS Log Topic
- Granting a Sub-account Read-only Permission for a CLS Log Topic
- Granting a Sub-account Permissions to Collect Logs for a CLS Log Topic
- Monitoring Alarm
- Function Processing
- Developer Guide
- API Documentation
- History
- API Category
- Making API Requests
- Log Topic APIs
- Logset APIs
- Topic Partition APIs
- Collection APIs
- Index APIs
- Log APIs
- Alarm Policy APIs
- Collection Configuration APIs
- Shipping APIs
- Data Types
- Error Codes
- CLS API 2017
- FAQs
- Service Level Agreement
- Notices
- Appendix
- Contact Us
- Glossary
This document introduces the authorization policies for CLS features and corresponding management and read-only permissions. You can configure the corresponding authorization policy statements based on the CLS features to be authorized.
Authorization Directions
You need to perform 3 steps: use the root account (CompanyExample) to create a custom policy, grant the sub-account (Developer) all permissions for the log topic (TopicA), and then access CLS using the sub-account (Developer). The procedure for creating a custom policy using the root account is as follows:
- Log in to the CAM console as the root account (
CompanyExample). - On the left sidebar, click Policies to go to the policy management page.
- Click Create Custom Policy.
- In the pop-up window, select Create by Policy Syntax.
- On the Create by Policy Syntax page, select Blank Template and click Next.
- On the policy editing page, set the policy name and content, and click Done.
For example, you can set the policy name toCLS-TopicA-Access. Configure the policy content by referring to the following:
Authorization Policy Statements for Data Collection
Authorize the minimum permission for log upload via LogListener
{
"version": "2.0",
"statement": [
{
"action": [
"cls:pushlog",
"cls:listLogset",
"cls:getConfig",
"cls:agentHeartBeat"
],
"resource": "*",
"effect": "allow"
}
]
}
Configure LogListener collection rules
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:ModifyConfig", "cls:DescribeIndex", "cls:DescribeIndex", "cls:ModifyIndex" ], "resource": [ "*" ], "effect": "allow" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:ModifyConfig", "cls:DescribeIndex", "cls:DescribeIndex", "cls:ModifyIndex" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } }, "effect": "allow" } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:DescribeIndex", "cls:DescribeIndex" ] "resource": [ "*" ], "effect": "allow" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeConfigs", "cls:DescribeIndex", "cls:DescribeIndex" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Authorize the minimum permission for log upload via API
{
"version": "2.0",
"statement": [
{
"action": [
"cls:CreateTopic",
"cls:CreateLogset",
"cls:UploadLog",
],
"resource": "*",
"effect": "allow"
}
]
}
Authorization Policy Statements for Search and Analysis
Log search via console
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions", "cls:CreateAsyncContextTask", "cls:CreateAsyncSearchTask", "cls:CreateExport", "cls:CreateIndex", "cls:DeleteAsyncContextTask", "cls:DeleteAsyncSearchTask", "cls:DeleteExport", "cls:DeleteIndex", "cls:DeleteLogset", "cls:DeleteTopic", "cls:MergePartition", "cls:ModifyIndex", "cls:ModifyLogset", "cls:ModifyTopic", "cls:SplitPartition", "cls:deleteLogset", "cls:deleteTopic", "cls:downloadLog", "cls:modifyIndex", "cls:modifyLogset", "cls:modifyTopic", "cls:updatePartition", "cls:GetDeliverFunction", "cls:CreateLogset", "cls:CreateTopic", "cls:createLogset", "cls:createTopic" ], "resource": [ "*" ] } ] } - Authorization for log topics with a specified tag
Note:
During configuration, you also need to bind tags to log topics and logsets.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions", "cls:CreateAsyncContextTask", "cls:CreateAsyncSearchTask", "cls:CreateExport", "cls:CreateIndex", "cls:DeleteAsyncContextTask", "cls:DeleteAsyncSearchTask", "cls:DeleteExport", "cls:DeleteIndex", "cls:DeleteLogset", "cls:DeleteTopic", "cls:MergePartition", "cls:ModifyIndex", "cls:ModifyLogset", "cls:ModifyTopic", "cls:SplitPartition", "cls:deleteLogset", "cls:deleteTopic", "cls:downloadLog", "cls:modifyIndex", "cls:modifyLogset", "cls:modifyTopic", "cls:updatePartition", "cls:GetDeliverFunction" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } } ] }
Read-only permission
- Authorization for log topics with a specified tag
Note:
During configuration, you also need to bind tags to log topics and logsets.
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] } - Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeAsyncContextResult", "cls:DescribeAsyncSearchResult", "cls:DescribeExports", "cls:DescribeIndex", "cls:DescribeLatestJsonLog", "cls:DescribeLogContext", "cls:DescribeLogFastAnalysis", "cls:DescribeLogHistogram", "cls:DescribePartitions", "cls:DescribeTopics", "cls:GetFastAnalysis", "cls:GetHistogram", "cls:GetLog", "cls:SearchLog", "cls:ShowContext", "cls:getIndex", "cls:getLogset", "cls:getTopic", "cls:searchLog", "cls:DescribeAsyncContextTasks", "cls:DescribeAsyncSearchTasks", "cls:DescribeLogsets", "cls:listLogset", "cls:listTopic", "cls:listPartitions" ], "resource": [ "*" ] } ] }
Visual dashboard
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart", "cls:CreateChart", "cls:CreateDashboard", "cls:DeleteChart", "cls:DeleteDashboard", "cls:ModifyChart", "cls:ModifyDashboard", "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart", "cls:CreateChart", "cls:DeleteChart", "cls:DeleteDashboard", "cls:ModifyChart", "cls:ModifyDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:GetChart", "cls:GetDashboard", "cls:ListChart" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:ListDashboard" ], "resource": "*" }, { "effect": "allow", "action": [ "cls:SearchLog", "cls:DescribeTopics" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } } ] }
Authorization Policy Statements for Monitoring Alarms
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ] }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:CreateAlarm", "cls:ModifyAlarm", "cls:DeleteAlarm", "cls:DescribeAlarmNotices", "cls:CreateAlarmNotice", "cls:ModifyAlarmNotice", "cls:DeleteAlarmNotice", "cam:ListGroups", "cam:DescribeSubAccountContacts" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:CreateAlarm", "cls:ModifyAlarm", "cls:DeleteAlarm", "cls:DescribeAlarmNotices", "cls:CreateAlarmNotice", "cls:ModifyAlarmNotice", "cls:DeleteAlarmNotice", "cam:ListGroups", "cam:DescribeSubAccountContacts" ], "resource": "*" } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ] }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:DescribeAlarmNotices", "cls:GetAlarmLog" ], "resource": [ "*" ] } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeLogsets", "cls:DescribeTopics" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "cls:DescribeAlarms", "cls:DescribeAlarmNotices", "cls:GetAlarmLog" ], "resource": [ "*" ] } ] }
Authorization Policy Statements for Data Shipping
Shipping to CKafka
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:modifyConsumer", "cls:getConsumer" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "age&13", "name&vinson" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:modifyConsumer", "cls:getConsumer" ], "resource": "*" } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:getConsumer" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "ckafka:DescribeInstances", "ckafka:DescribeTopic", "ckafka:DescribeInstanceAttributes", "cls:getConsumer" ], "resource": "*" } ] }
Shipping to COS
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets", "cls:DescribeIndex" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:CreateShipper", "cls:ModifyShipper", "cls:DescribeShippers", "cls:DeleteShipper", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies", "cos:GetService", ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets", "cls:DescribeIndex" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:CreateShipper", "cls:ModifyShipper", "cls:DescribeShippers", "cls:DeleteShipper", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies", "cos:GetService", ], "resource": "*" } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:DescribeShippers", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cls:DescribeShippers", "cls:DescribeShipperTasks", "cls:RetryShipperTask", "cam:ListAttachedRolePolicies" ], "resource": "*" } ] }
Shipping to SCF
Management permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:CreateDeliverFunction", "cls:DeleteDeliverFunction", "cls:ModifyDeliverFunction", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:CreateDeliverFunction", "cls:DeleteDeliverFunction", "cls:ModifyDeliverFunction", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }
Read-only permission
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*" }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] } - Authorization for log topics with a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:DescribeTopics", "cls:DescribeLogsets" ], "resource": "*", "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "key&value" ] } } }, { "effect": "allow", "action": [ "tag:DescribeResourceTagsByResourceIds", "tag:DescribeTagKeys", "tag:DescribeTagValues", "cam:ListAttachedRolePolicies", "cls:GetDeliverFunction", "scf:ListFunctions", "scf:ListAliases", "scf:ListVersionByFunction" ], "resource": "*" } ] }
Authorization Policy Statements for Developers
Permission to display on Grafana
- Authorization for all log topics
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:searchLog" ], "resource": [ "*" ] } ] } - Authorization for log topics of a specified tag
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cls:searchLog" ], "resource": [ "*" ], "condition":{ "for_any_value:string_equal": { "qcs:resource_tag": [ "testCAM&test1" ] } } } ] }
Yes
No
Was this page helpful?