tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Log Service
    Documentation
    Download PDF

    Permission Description

    Last updated: 2022-04-18 15:46:05
    Download PDF

      To enable CLS to ship logs to Cloud Object Storage (COS) or CKafka, you need to grant CLS the COS or CKafka write permission. That is, you need to grant the QcloudCOSAccessForCLSRole or QcloudCKAFKAAccessForCLSRole policy permission to the unique service role CLS_QcsRole of CLS.

      This document describes how to grant collaborators or sub-accounts the permission to configure shipping tasks.

      Granting Permissions in the Console

      To enable collaborators or sub-accounts to configure a shipping task in the CLS console, you need to use the root account to grant them the necessary permissions as shown below:

      Permission Description Use Case
      CLS preset policy: QcloudCLSFullAccess The permission for collaborator or sub-account to operate CLS The collaborator or sub-account must be authorized to operate CLS and configure shipping tasks
      CAM preset policy: QcloudCamSubaccountsAuthorizeRoleFullAccess The permission for collaborator or sub-account to authorize the service role When shipping logs to COS or CKafka, the collaborator or sub-account needs to confirm that the role is authorized with the CLS write permission to COS or CKafka, i.e., grant the service role CLS_QcsRole the policy permission QcloudCOSAccessForCLSRole or QcloudCKAFKAAccessForCLSRole
      COS API permission: GetService (or preset policy: QcloudCOSReadOnlyAccess) The permission for collaborator or sub-account to obtain the COS bucket lists To configure a task for shipping to COS in the CLS console, the collaborator or sub-account needs to obtain the COS bucket list, and then selects the destination bucket
      CKafka API permission: ListInstance, ListTopic (or preset policy: QcloudCkafkaReadOnlyAccess) The permission for collaborator or sub-account to obtain CKafka resource list To configure a task for shipping to CKafka in the CLS console, the collaborator or sub-account needs to obtain the CKafka resource list, and then selects the target CKafka instance topic

      Authorization by root account

      1. Log in to the CAM console with the root account and choose Users > User List on the left sidebar.

      2. On the User List page, click the target username to go to the user details page.

      3. On the user details page, select Associate Policy.

      4. In the User Permissions step on the Add Policy page, click Select policies from the policy list.

      5. Select the preset policies, including QcloudCLSFullAccess, QcloudCamSubaccountsAuthorizeRoleFullAccess, QcloudCOSReadOnlyAccess, or QcloudCkafkaReadOnlyAccess, for the collaborator or sub-account.

        Note

        The root account must complete the authorization process. Otherwise, the collaborator or sub-account cannot configure shipping tasks properly.

      6. Click Next.

      7. Confirm the configuration in the Review step and click OK.

      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy