tencent cloud

日志服务

动态与公告
产品动态
公告
新手指引
产品简介
产品概述
产品优势
地域和访问域名
规格与限制
基本概念
购买指南
计费概述
产品定价
按量计费(后付费)
欠费说明
清理日志服务资源
成本优化
常见问题
快速入门
一分钟入门指南
入门指南
使用 Demo 日志快速体验 CLS
操作指南
资源管理
权限管理
日志采集
指标采集
日志存储
指标存储
检索分析(日志主题)
检索分析(指标主题)
仪表盘
数据处理
投递与消费
监控告警
云产品中心
DataSight 独立控制台
历史文档
实践教程
日志采集
检索分析
仪表盘
监控告警
投递和消费
成本优化
开发者指南
通过 iframe 内嵌 CLS(旧方案)
通过 Grafana 使用 CLS
API 文档
History
Introduction
API Category
Making API Requests
Topic Management APIs
Log Set Management APIs
Index APIs
Topic Partition APIs
Machine Group APIs
Collection Configuration APIs
Log APIs
Metric APIs
Alarm Policy APIs
Data Processing APIs
Kafka Protocol Consumption APIs
CKafka Shipping Task APIs
Kafka Data Subscription APIs
COS Shipping Task APIs
SCF Delivery Task APIs
Scheduled SQL Analysis APIs
COS Data Import Task APIs
Data Types
Error Codes
常见问题
健康监测问题解释
采集相关
检索分析相关
其他问题
服务等级协议
CLS 政策
隐私协议
数据处理和安全协议
联系我们
词汇表
文档日志服务操作指南权限管理CLS 访问策略模板

CLS 访问策略模板

PDF
聚焦模式
字号
最后更新时间: 2025-11-18 11:23:07
使用自定义权限策略时,可按照使用场景采用如下的权限策略模板:
模块
使用场景
整体(最佳实践)
使用标签对主题、机器组、仪表盘进行分类,并按标签配置权限
对指定标签的资源具备管理权限
对指定标签的资源具备只读权限
数据采集
使用 LogListener 采集服务器数据
指标上报
使用 LogListener 采集自建 K8s 数据
使用 API/SDK 上传数据
使用 Kafka 上传数据
使用云产品指标订阅上传数据
订阅 MySQL Binlog 数据
使用 Kafka 订阅采集数据
FluentBit 日志上传
Logstash 日志上传
管理采集配置及机器组
主题管理及检索分析
使用控制台查看/管理主题及检索分析
管理权限:对所有主题具备管理权限
管理权限:对指定主题具备管理权限
管理权限:对指定标签的主题具备管理权限
只读权限:对所有主题具备只读权限
只读权限:对指定主题具备只读权限
只读权限:对指定标签的主题具备只读权限
使用 API 检索分析
只读权限:对所有主题具备检索分析只读权限
只读权限:对指定主题具备检索分析只读权限
只读权限:对指定标签的主题具备检索分析只读权限
仪表盘
管理权限:对所有仪表盘具备管理权限
管理权限:对指定标签的仪表盘具备管理权限
管理权限:对指定资源的仪表盘具备管理权限
只读权限:对所有仪表盘具备只读权限
只读权限:对指定标签的仪表盘具备只读权限
只读权限:对指定资源的仪表盘具备只读权限
监控告警
管理权限:对所有告警策略具备管理权限
管理权限:对指定标签的告警策略具备管理权限
管理权限:对指定资源的告警策略具备管理权限
只读权限:对所有告警策略具备只读权限
只读权限:对指定标签的告警策略具备只读权限
只读权限:对指定资源的告警策略具备只读权限
数据处理
数据加工
管理权限:对所有数据加工任务具备管理权限
只读权限:对所有数据加工任务具备只读权限
定时 SQL 分析相关
管理权限:对所有日志主题具备定时 SQL 分析的权限
管理权限:对指定标签日志主题具备定时 SQL 分析的权限
数据投递/消费
投递 CKafka
管理权限:对所有日志主题具备投递 CKafka 管理权限
管理权限:对指定标签日志主题具备投递 CKafka 管理权限
只读权限:对所有日志主题具备投递 CKafka 只读权限
只读权限:对指定标签日志主题具备投递 CKafka 只读权限
投递 COS
管理权限:对所有日志主题具备投递 COS 管理权限
管理权限:对指定标签日志主题具备投递 COS 管理权限
只读权限:对所有日志主题具备投递 COS 只读权限
只读权限:对指定标签日志主题具备投递 COS 只读权限
投递 DLC
管理权限:对所有日志主题具备投递 DLC 管理权限
管理权限:对指定标签日志主题具备投递 DLC 管理权限
只读权限:对所有日志主题具备投递 DLC 只读权限
只读权限:对指定标签日志主题具备投递 DLC 只读权限
投递 Splunk
管理权限:对所有日志主题具备投递 Splunk 管理权限
管理权限:对指定标签日志主题具备投递 Splunk 管理权限
只读权限:对所有日志主题具备投递 Splunk 只读权限
只读权限:对指定标签日志主题具备投递 Splunk 只读权限
投递 SCF
管理权限:对所有日志主题具备投递 SCF 管理权限
管理权限:对指定标签日志主题具备投递 SCF 管理权限
只读权限:对所有日志主题具备投递 SCF 只读权限
只读权限:对指定标签日志主题具备投递 SCF 只读权限
Kafka 协议消费
管理权限:对所有日志主题具备 Kafka 协议消费权限
管理权限:对指定标签日志主题具备 Kafka 协议消费权限
管理权限:对指定资源具备 Kafka 协议消费权限
Kafka 协议消费权限最小权限(非控制台,调用 API)
指标投递
管理权限:对所有指标主题具备投递管理权限
管理权限:对指定标签的指标主题具备投递管理权限
自定义消费
管理权限:对所有日志主题具备自定义消费管理权限
DataSight 独立控制台

管理 DataSight
管理权限:对所有 DataSight 独立控制台具备管理权限
管理权限:对指定 DataSight 独立控制台具备管理权限
管理权限:对指定标签 DataSight 独立控制台具备管理权限
只读权限:对所有 DataSight 独立控制台具备只读权限
只读权限:对指定 DataSight 独立控制台具备只读权限
只读权限:对指定标签 DataSight 独立控制台具备只读权限
开发者
通过 Grafana 使用 CLS
通过 Grafana 展示所有主题的数据
通过 Grafana 展示具备指定标签的主题的数据

整体(最佳实践)

使用标签对主题、机器组、仪表盘进行分类,并按标签配置权限。创建资源时需为资源指定标签,用户仅对具备指定标签的资源具备管理或只读权限,通过这种方式能够方便的批量管理日志服务中多种类型的资源。

对指定标签的资源具备管理权限

注意:
使用这个策略时请清空其中的注释说明。
{
	"statement": [{
			"action": [ //必要的相关产品只读权限
				"monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
				"cam:ListGroups",
				"cam:GetGroup",
				"cam:DescribeSubAccountContacts",
				"cam:ListAttachedRolePolicies",
                "cam:GetRole",
                "vpc:DescribeSubnetEx",//创建内网访问的DataSight时需要
                "vpc:DescribeVpcEx",//创建内网访问的DataSight时需要
				"tag:TagResources",
				"tag:DescribeResourceTagsByResourceIds",
				"tag:GetTags",
				"tag:GetTagKeys",
				"tag:GetTagValues",
                "kms:GetServiceStatus"
			],
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //限制用户创建仪表盘、日志集、主题、告警策略、通知渠道组、机器组和DataSight时,必须绑定指定的标签,例如testCAM:test1。创建其它类型资源暂不支持限定标签。
                "cls:CreateDashboard",
                "cls:CreateLogset",
                "cls:CreateTopic",
                "cls:CreateAlarm",
                "cls:CreateAlarmNotice",
                "cls:CreateMachineGroup",
                "cls:CreateConsole"
			],
			"condition": {
				"for_any_value:string_equal": {
					"qcs:request_tag": [
						"testCAM&test1"
					]
				}
			},
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //资源具备指定标签时,用户即拥有所有相关接口的权限(需接口支持按标签限制权限)。
				"cls:*"
			],
			"condition": {
				"for_any_value:string_equal": {
					"qcs:resource_tag": [
						"testCAM&test1"
					]
				}
			},
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口主要为读操作,另有少部分辅助功能接口为写操作,均不影响产品核心数据安全性。
				"cls:CheckAlarmChannel",
				"cls:CheckAlarmRule",
				"cls:CheckDomainRepeat",
				"cls:CheckFunction",
				"cls:CheckRechargeKafkaServer",
				"cls:DescribeClsPrePayDetails",
				"cls:DescribeClsPrePayInfos",
				"cls:DescribeConfigMachineGroups",
				"cls:DescribeConfigs",
				"cls:DescribeAgentConfigs",
				"cls:DescribeTopicExtendConfig",
				"cls:DescribeDataTransformFailLogInfo",
				"cls:DescribeDataTransformInfo",
				"cls:DescribeDataTransformPreviewDataInfo",
				"cls:DescribeDataTransformPreviewInfo",
				"cls:DescribeDataTransformProcessInfo",
				"cls:DescribeDemonstrations",
				"cls:DescribeExceptionResources",
				"cls:DescribeExternalDataSourcePreview",
				"cls:DescribeFunctions",
				"cls:DescribeResources",
				"cls:DescribeShipperPreview",
				"cls:DescribeScheduledSqlProcessInfo",
				"cls:DescribeConfigurationTemplates",
				"cls:DescribeFolders",
				"cls:GetClsService",
				"cls:GetConfigurationTemplateApplyLog",
				"cls:PreviewKafkaRecharge",
				"cls:agentHeartBeat",
				"cls:CreateDemonstrations",
				"cls:DeleteDemonstrations",
                "cls:DescribeNoticeContents",
                "cls:DescribeWebCallbacks"
			],
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口涉及核心功能的写操作,建议仅按需向少部分用户授权,可删除不需要授权的接口。
				"cls:RealtimeProducer", //使用 Kafka 上传数据
				"cls:CreateConfigurationTemplate", //配置模版相关功能接口
				"cls:ModifyConfigurationTemplate",
				"cls:DeleteConfigurationTemplate",
				"cls:CreateFolder",//文件夹相关功能接口
				"cls:ModifyFolder",
				"cls:DeleteFolder",
				"cls:ModifyResourceAndFolderRelation",
				"cls:CreateDataTransform",//数据加工相关功能接口
				"cls:ModifyDataTransform",
				"cls:DeleteDataTransform",
				"cls:RetryShipperTask",//投递COS相关功能接口
				"cls:ModifyDashboardSubscribeAck",//仪表盘订阅相关功能接口
				"cls:DeleteDashboardSubscribe",
				"cls:ModifyConfigExtra",//采集配置相关功能接口
				"cls:DeleteConfigExtra",
				"cls:RemoveMachine",//机器组相关功能接口
				"cls:UpgradeAgentNormal",
                "cls:CreateNoticeContent",//告警通知内容模版相关功能接口
                "cls:DeleteNoticeContent",
                "cls:ModifyNoticeContent",
                "cls:CreateWebCallback",//告警集成配置相关功能接口
                "cls:ModifyWebCallback",
                "cls:DeleteWebCallback"
			],
			"effect": "allow",
			"resource": "*"
		}
	],
	"version": "2.0"
}

对指定标签的资源具备只读权限

注意:
使用这个策略时请清空其中的注释说明。
{
	"statement": [{
			"action": [ //必要的相关产品只读权限
				"monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
				"cam:ListGroups",
				"cam:GetGroup",
				"cam:DescribeSubAccountContacts",
				"cam:ListAttachedRolePolicies",
				"tag:DescribeResourceTagsByResourceIds",
				"tag:GetTags",
				"tag:GetTagKeys",
				"tag:GetTagValues"
			],
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //资源具备指定标签时,用户即拥有相关只读接口的权限
				"cls:DescribeConsumer",
				"cls:DescribeConsumerPreview",
				"cls:DescribeCosRecharges",
				"cls:DescribeDashboardSubscribes",
				"cls:DescribeDashboards",
				"cls:DescribeExports",
				"cls:DescribeIndex",
				"cls:DescribeIndexs",
				"cls:DescribeKafkaConsume",
				"cls:DescribeKafkaConsumer",
				"cls:DescribeKafkaRecharges",
				"cls:DescribeLatestJsonLog",
				"cls:DescribeLatestUserLog",
				"cls:DescribeLogContext",
				"cls:DescribeLogFastAnalysis",
				"cls:DescribeLogHistogram",
				"cls:DescribeMachineGroupConfigs",
				"cls:DescribeMachines",
				"cls:DescribePartitions",
				"cls:DescribeScheduledSqlInfo",
				"cls:DescribeScheduledSqlProcessInfo",
				"cls:DescribeShipperPreview",
				"cls:DescribeTopics",
				"cls:EstimateRebuildIndexTask",
				"cls:GetAlarm",
				"cls:GetAlarmLog",
				"cls:GetMetricLabelValues",
				"cls:GetMetricSeries",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryExemplars",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:SearchCosRechargeInfo",
				"cls:SearchDashboardSubscribe",
				"cls:SearchLog",
				"cls:DescribeAlarmNotices",
				"cls:DescribeAlarms",
				"cls:DescribeAlertRecordHistory",
				"cls:DescribeExternalDataSources",
				"cls:DescribeLogsets",
				"cls:DescribeMachineGroups",
                "cls:DescribeConsoles",
				"cls:DescribeShipperTasks",
				"cls:DescribeShippers",
				"cls:DescribeRebuildIndexTasks"
			],
			"condition": {
				"for_any_value:string_equal": {
					"qcs:resource_tag": [
						"testCAM&test1"
					]
				}
			},
			"effect": "allow",
			"resource": "*"
		},
		{
			"action": [ //部分接口不支持按标签限制权限,不能限制资源范围。以下接口主要为读操作,另有少部分辅助功能接口为写操作,均不影响产品核心数据安全性。
				"cls:CheckAlarmChannel",
				"cls:CheckAlarmRule",
				"cls:CheckDomainRepeat",
				"cls:CheckFunction",
				"cls:CheckRechargeKafkaServer",
				"cls:DescribeClsPrePayDetails",
				"cls:DescribeClsPrePayInfos",
				"cls:DescribeConfigMachineGroups",
				"cls:DescribeConfigs",
				"cls:DescribeAgentConfigs",
				"cls:DescribeTopicExtendConfig",
				"cls:DescribeDataTransformFailLogInfo",
				"cls:DescribeDataTransformInfo",
				"cls:DescribeDataTransformPreviewDataInfo",
				"cls:DescribeDataTransformPreviewInfo",
				"cls:DescribeDataTransformProcessInfo",
				"cls:DescribeDemonstrations",
				"cls:DescribeExceptionResources",
				"cls:DescribeExternalDataSourcePreview",
				"cls:DescribeFunctions",
				"cls:DescribeResources",
				"cls:DescribeShipperPreview",
				"cls:DescribeScheduledSqlProcessInfo",
				"cls:DescribeConfigurationTemplates",
				"cls:DescribeFolders",
				"cls:GetClsService",
				"cls:GetConfigurationTemplateApplyLog",
				"cls:PreviewKafkaRecharge",
				"cls:CreateDemonstrations",
				"cls:DeleteDemonstrations",
				"cls:CreateExport",
				"cls:DeleteExport"
                "cls:DescribeNoticeContents",
                "cls:DescribeWebCallbacks"
			],
			"effect": "allow",
			"resource": "*"
		}
	],
	"version": "2.0"
}

数据采集相关

使用 LogListener 采集数据

用户可以使用 Agent LogListener 采集数据,且具备日志上传的能力(本示例展示机器安装 LogListener 上传日志的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:pushLog",
            "cls:getConfig",
            "cls:agentHeartBeat"
        ],
        "resource": "*",
        "effect": "allow"
    }]
}
说明
如果您使用的 LogListener 为2.6.5以前的版本,则需要加上 "cls:listLogset" 权限。

指标上报

用户可使用 Prometheus Remote Write 协议上报指标数据,也可使用兼容该协议的各类采集器(如 vmagent 及 telegraf)采集指标并上报至指标主题。(本示例展示指标上报的最小权限)。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:MetricsRemoteWrite"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

使用自建 k8s 上传数据

用户可以使用 Logagent 采集自建 k8s 环境的日志数据,且具备上传的能力(本示例展示自建 k8s 上传日志的最小权限)。
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "cls:pushLog",
        "cls:agentHeartBeat",
        "cls:getConfig",
        "cls:CreateConfig",
        "cls:DeleteConfig",
        "cls:ModifyConfig",
        "cls:DescribeConfigs",
        "cls:DescribeMachineGroupConfigs",
        "cls:DeleteConfigFromMachineGroup",
        "cls:ApplyConfigToMachineGroup",
        "cls:DescribeConfigMachineGroups",
        "cls:ModifyTopic",
        "cls:DeleteTopic",
        "cls:CreateTopic",
        "cls:DescribeTopics",
        "cls:CreateLogset",
        "cls:DeleteLogset",
        "cls:DescribeLogsets",
        "cls:CreateIndex",
        "cls:ModifyIndex",
        "cls:CreateMachineGroup",
        "cls:DeleteMachineGroup",
        "cls:DescribeMachineGroups",
        "cls:ModifyMachineGroup",
        "cls:CreateConfigExtra",
        "cls:DeleteConfigExtra",      
        "cls:ModifyConfigExtra"
      ],
      "resource": "*",
      "effect": "allow"
    }
  ]
}

使用 API/SDK 上传数据

用户可以通过 API/SDK 上传数据到 CLS(本示例展示使用 API/SDK 上传数据的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:pushLog",
            "cls:UploadLog",
            "cls:MetricsRemoteWrite"
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

使用 Kafka 上传数据

用户可以通过 Kafka 协议上传日志到 CLS(本示例展示使用 Kafka 协议上传日志的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:RealtimeProducer"
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

使用云产品指标订阅上传数据

用户可以通过云产品指标订阅上传指标到 CLS(本示例展示控制台配置云产品指标订阅时所需要的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:CreateMetricSubscribe",
            "cls:DescribeMetricCorrectDimension",
            "cls:DescribeMetricSubscribePreview",
            "monitor:DescribeBaseMetrics",
            "monitor:DescribeProductList"
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

订阅 MySQL Binlog 日志

用户可以订阅 MySQL Binlog 日志至 CLS(本示例展示控制台配置 MySQL Binlog 订阅任务时所需要的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:CreateBinlogSubscribe",
            "cls:DescribeBinlogSubscribes",
            "cls:ModifyBinlogSubscribe",
            "cls:DescribeBinlogSubscribeConnectivity",
            "cls:DescribeBinlogSubscribePreview",
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

使用 Kafka 订阅采集数据

用户可以订阅 Kafka 集群中的数据至 CLS(本示例展示控制台配置 Kafka 订阅任务时所需要的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:PreviewKafkaRecharge",
            "cls:CreateKafkaRecharge",
            "cls:ModifyKafkaRecharge",
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

FluentBit 日志上传

用户可以通过 Fluent-bit Go 插件将 FluentBit 中的数据上传到 CLS(本示例展示使用 Fluent-bit Go 插件上传数据的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:pushLog",
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

Logstash 日志上传

用户可以通过 Logstash 插件将 Logstash 中的数据上传到 CLS(本示例展示使用 Logstash 插件上传数据的最小权限)。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:pushLog",
        ],
        "resource": "*",
        "effect": "allow"
    }]
}

管理采集配置及机器组

包括创建/修改/删除采集配置及创建/修改/删除机器组。
Config 相关接口对应采集配置相关资源。
MachineGroup 相关接口对应机器组相关资源。
ConfigExtra 相关的三个接口权限用于管理自建 k8s 上传日志相关的集群配置信息,如不使用自建 k8s 上传日志相关功能可以忽略。
{
    "version": "2.0",
    "statement": [{
        "action": [
            "cls:DescribeLogsets",
            "cls:DescribeTopics",
            "cls:CreateConfig",
            "cls:CreateConfig",
            "cls:DeleteConfig",
            "cls:DescribeConfigs",
            "cls:ModifyConfig",
            "cls:CreateConfigExtra",
            "cls:DeleteConfigExtra",
            "cls:ModifyConfigExtra",
            "cls:CreateMachineGroup",
            "cls:DeleteMachineGroup",
            "cls:DescribeMachineGroups",
            "cls:DeleteConfigFromMachineGroup",
            "cls:ApplyConfigToMachineGroup",
            "cls:ModifyMachineGroup"
        ],
        "resource": "*",
        "effect": "allow"
    }
    ]
}

主题管理及检索分析相关

使用控制台查看/管理主题及检索分析

管理权限:对所有主题具备管理权限

用户可以对所有的主题进行检索及管理,包括创建主题、删除主题和修改索引配置等,不包括采集配置、日志投递和日志加工等。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateLogset",
                "cls:CreateTopic",
                "cls:CreateExport",
                "cls:CreateIndex",
                "cls:DeleteLogset",
                "cls:DeleteTopic",
                "cls:DeleteExport",
                "cls:DeleteIndex",
                "cls:ModifyLogset",
                "cls:ModifyTopic",
                "cls:ModifyIndex",
                "cls:MergePartition",
                "cls:SplitPartition",
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
                "cls:CreateRebuildIndexTask",
                "cls:EstimateRebuildIndexTask",
                "cls:CancelRebuildIndexTask",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

管理权限:对指定主题具备管理权限

用户能够对指定的主题进行检索及管理,包括修改主题、删除主题和修改索引配置等,不包括创建主题、采集配置、日志投递和日志加工等。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateExport",
                "cls:CreateIndex",
                "cls:DeleteLogset",
                "cls:DeleteTopic",
                "cls:DeleteExport",
                "cls:DeleteIndex",
                "cls:ModifyLogset",
                "cls:ModifyTopic",
                "cls:ModifyIndex",
                "cls:MergePartition",
                "cls:SplitPartition",
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
                "cls:CreateRebuildIndexTask",
                "cls:EstimateRebuildIndexTask",
                "cls:CancelRebuildIndexTask",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516",
                "qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"
            ]
        }
    ]
}

管理权限:对指定标签的主题具备管理权限

用户可以对包含指定标签的主题进行检索及管理,包括修改主题、删除主题和修改索引配置等,不包括创建主题、采集配置、日志投递和日志加工等。为主题绑定标签时,需同时为其所属的日志集绑定标签。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateExport",
                "cls:CreateIndex",
                "cls:DeleteLogset",
                "cls:DeleteTopic",
                "cls:DeleteExport",
                "cls:DeleteIndex",
                "cls:ModifyLogset",
                "cls:ModifyTopic",
                "cls:ModifyIndex",
                "cls:MergePartition",
                "cls:SplitPartition",
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
                "cls:CreateRebuildIndexTask",
                "cls:EstimateRebuildIndexTask",
                "cls:CancelRebuildIndexTask",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "testCAM&test1"
                    ]
                }
            }
        }
    ]
}

只读权限:对所有主题具备只读权限

用户可以对所有的主题进行检索。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

只读权限:对指定主题具备只读权限

用户可以对指定的主题进行检索。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516",
                "qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"
            ]
        }
    ]
}

只读权限:对指定标签的主题具备只读权限

用户可以对包含指定标签的主题进行检索。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeExports",
                "cls:DescribeIndex",
                "cls:DescribeIndexs",
                "cls:DescribePartitions",
                "cls:SearchLog",
                "cls:DescribeLogHistogram",
                "cls:DescribeLogContext",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeLatestJsonLog",
                "cls:DescribeRebuildIndexTasks",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "testCAM&test1"
                    ]
                }
            }
        }
    ]
}

使用 API 检索分析

只读权限:对所有主题具备检索分析只读权限

用户可以通过 API 对所有的主题进行检索分析。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries",
    			"cls:MetricsRemoteRead"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

只读权限:对指定主题具备检索分析只读权限

用户可以通过 API 对指定的主题进行检索分析。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries",
    			"cls:MetricsRemoteRead"
            ],
            "resource": [
                "qcs::cls:ap-guangzhou:100007***827:logset/1c012db7-2cfd-4418-****-7342c7a42516",
                "qcs::cls:ap-guangzhou:100007***827:topic/380fe1f1-0c7b-4b0d-****-d514959db1bb"
            ]
        }
    ]
}

只读权限:对指定标签的主题具备检索分析只读权限

用户可以通过 API 对包含指定标签的主题进行检索分析。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
				"cls:MetricsLabelValues",
				"cls:MetricsLabels",
				"cls:MetricsQuery",
				"cls:MetricsQueryRange",
				"cls:MetricsSeries",
				"cls:MetricsQueryExemplars",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries",
    			"cls:MetricsRemoteRead"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "testCAM&test1"
                    ]
                }
            }
        }
    ]
}

仪表盘相关

管理权限:对所有仪表盘具备管理权限

用户可以管理所有的仪表盘,包括创建、删除、编辑、查看、订阅所有仪表盘。仪表盘可以使用所有主题的数据。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:GetChart",
                "cls:GetDashboard",
                "cls:ListChart",
                "cls:CreateChart",
                "cls:CreateDashboard",
                "cls:DeleteChart",
                "cls:DeleteDashboard",
                "cls:ModifyChart",
                "cls:ModifyDashboard",
                "cls:DescribeDashboards",
                "cls:CreateFolder",
                "cls:DeleteFolder",
                "cls:DescribeFolders",
                "cls:ModifyFolder",
                "cls:ModifyResourceAndFolderRelation",
                "cls:SearchDashboardSubscribe",
                "cls:CreateDashboardSubscribe",
                "cls:ModifyDashboardSubscribe",
                "cls:DescribeDashboardSubscribes",
                "cls:DeleteDashboardSubscribe",
                "cls:ModifyDashboardSubscribeAck"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeIndex",
                "cls:DescribeLogsets",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签的仪表盘具备管理权限

用户可以管理指定标签的仪表盘,包括创建、删除、编辑、查看、订阅携带指定标签的仪表盘。仪表盘可以使用指定标签主题的数据。
    {
        "version": "2.0",
        "statement": [
             {
                "effect": "allow",
                "action": [
                    "cls:GetChart",
                    "cls:GetDashboard",
                    "cls:ListChart",
                    "cls:CreateChart",
                    "cls:CreateDashboard",
                    "cls:DeleteChart",
                    "cls:DeleteDashboard",
                    "cls:ModifyChart",
                    "cls:ModifyDashboard",
                    "cls:DescribeDashboards",
                    "cls:CreateFolder",
                    "cls:DeleteFolder",
                    "cls:DescribeFolders",
                    "cls:ModifyFolder",
                    "cls:ModifyResourceAndFolderRelation",
                    "cls:SearchDashboardSubscribe",
                    "cls:CreateDashboardSubscribe",
                    "cls:ModifyDashboardSubscribe",
                    "cls:DescribeDashboardSubscribes",
                    "cls:DeleteDashboardSubscribe",
                    "cls:ModifyDashboardSubscribeAck"
                ],
                "resource": "*",
                "condition": {
                    "for_any_value:string_equal": {
                        "qcs:resource_tag": [
                            "key&value"
                        ]
                    }
                }
            },
            {
                "effect": "allow",
                "action": [
                    "cls:SearchLog",
                    "cls:DescribeTopics",
                    "cls:DescribeLogFastAnalysis",
                    "cls:DescribeIndex",
                    "cls:DescribeLogsets",
				    "cls:GetMetricLabelValues",
				    "cls:QueryMetric",
				    "cls:QueryRangeMetric",
				    "cls:GetMetricSeries"
                ],
                "resource": "*",
                "condition": {
                    "for_any_value:string_equal": {
                        "qcs:resource_tag": [
                            "key&value"
                        ]
                    }
                }
            }
        ]
    }

管理权限:对指定资源的仪表盘具备管理权限

用户可以管理指定仪表盘,包括创建、删除、编辑、查看、订阅指定的仪表盘资源。仪表盘可以使用指定主题的数据。
{
    "version": "2.0",
    "statement": [
         {
            "effect": "allow",
            "action": [
                "cls:GetChart",
                "cls:GetDashboard",
                "cls:ListChart",
                "cls:CreateChart",
                "cls:CreateDashboard",
                "cls:DeleteChart",
                "cls:DeleteDashboard",
                "cls:ModifyChart",
                "cls:ModifyDashboard",
                "cls:DescribeDashboards",
                "cls:CreateFolder",
                "cls:DeleteFolder",
                "cls:DescribeFolders",
                "cls:ModifyFolder",
                "cls:ModifyResourceAndFolderRelation",
                "cls:SearchDashboardSubscribe",
                "cls:CreateDashboardSubscribe",
                "cls:ModifyDashboardSubscribe",
                "cls:DescribeDashboardSubscribes",
                "cls:DeleteDashboardSubscribe",
                "cls:ModifyDashboardSubscribeAck"
            ],
            "resource": [
                "qcs::cls::uin/100000***001:dashboard/dashboard-0769a3ba-2514-409d-****-f65b20b23736"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeIndex",
                "cls:DescribeLogsets",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "qcs::cls::uin/100000***001:topic/174ca473-50d0-4fdf-****-2ef681a1e02a"
            ]
        }
    ]
}

只读权限:对所有仪表盘具备只读权限

用户可以查看所有的仪表盘。仪表盘可以查看所有主题的数据。
{
    "version": "2.0",
    "statement": [
         {
            "effect": "allow",
            "action": [
                "cls:GetChart",
                "cls:GetDashboard",
                "cls:ListChart",
                "cls:DescribeDashboards",
                "cls:DescribeFolders",
                "cls:SearchDashboardSubscribe",
                "cls:DescribeDashboardSubscribes"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeIndex",
                "cls:DescribeLogsets",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签的仪表盘具备只读权限

用户可以查看携带指定标签的仪表盘资源。仪表盘可以查看携带指定标签的主题的数据。
{
    "version": "2.0",
    "statement": [
         {
            "effect": "allow",
            "action": [
                "cls:GetChart",
                "cls:GetDashboard",
                "cls:ListChart",
                "cls:DescribeDashboards",
                "cls:DescribeFolders",
                "cls:SearchDashboardSubscribe",
                "cls:DescribeDashboardSubscribes"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeIndex",
                "cls:DescribeLogsets",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ]
}

只读权限:对指定资源的仪表盘具备只读权限

用户可以查看指定仪表盘。仪表盘可以查看指定主题的数据。
{
    "version": "2.0",
    "statement": [
         {
            "effect": "allow",
            "action": [
                "cls:GetChart",
                "cls:GetDashboard",
                "cls:ListChart",
                "cls:DescribeDashboards",
                "cls:DescribeFolders",
                "cls:SearchDashboardSubscribe",
                "cls:DescribeDashboardSubscribes"
            ],
            "resource": [
                "qcs::cls::uin/100000***001:dashboard/dashboard-0769a3ba-2514-409d-****-f65b20b23736"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:DescribeLogFastAnalysis",
                "cls:DescribeIndex",
                "cls:DescribeLogsets",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "qcs::cls::uin/100000***001:topic/174ca473-50d0-4fdf-****-2ef681a1e02a"
            ]
        }
    ]
}

监控告警相关

管理权限:对所有告警策略具备管理权限

用户可以对所有告警策略进行管理,包括创建告警策略、创建通知渠道组和查看告警策略等。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:SearchLog",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:CreateAlarm",
                "cls:ModifyAlarm",
                "cls:DeleteAlarm",
                "cls:DescribeAlarmNotices",
                "cls:CreateAlarmNotice",
                "cls:ModifyAlarmNotice",
                "cls:DeleteAlarmNotice",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory",
                "cls:CheckAlarmRule",
                "cls:CheckAlarmChannel"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签的告警策略具备管理权限

用户可以对包含指定标签的告警策略进行管理,包括修改告警策略、修改通知渠道组和查看告警策略等。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:SearchLog",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup",
                "cls:CheckAlarmRule",
                "cls:CheckAlarmChannel",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:ModifyAlarm",
                "cls:DeleteAlarm",
                "cls:DescribeAlarmNotices",
                "cls:ModifyAlarmNotice",
                "cls:DeleteAlarmNotice",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ]
}

管理权限:对指定资源的告警策略具备管理权限

用户可以对指定的告警策略进行管理,包括修改告警策略、修改通知渠道组和查看告警策略等。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:SearchLog",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup",
                "cls:CheckAlarmRule",
                "cls:CheckAlarmChannel",
				"cls:GetMetricLabelValues",
				"cls:QueryMetric",
				"cls:QueryRangeMetric",
				"cls:GetMetricSeries"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:ModifyAlarm",
                "cls:DeleteAlarm",
                "cls:DescribeAlarmNotices",
                "cls:ModifyAlarmNotice",
                "cls:DeleteAlarmNotice",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory"
            ],
            "resource": [
                "qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf",
                "qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"
            ]
        }
    ]
}

只读权限:对所有告警策略具备只读权限

用户可以查看所有告警策略。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:DescribeAlarmNotices",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签的告警策略具备只读权限

用户可以查看包含指定标签的告警策略。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:DescribeAlarmNotices",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ]
}

只读权限:对指定资源的告警策略具备只读权限

用户可以对指定的告警策略进行查看。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cam:ListGroups",
                "cam:DescribeSubAccountContacts",
                "cam:GetGroup"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeAlarms",
                "cls:DescribeAlarmNotices",
                "cls:GetAlarmLog",
                "cls:DescribeAlertRecordHistory"
            ],
            "resource": [
                "qcs::cls:ap-guangzhou:100007***827:alarm/alarm-xxx-9bbe-4625-ac29-b5e66bf643cf",
                "qcs::cls:ap-guangzhou:100007***827:alarmNotice/notice-xxx-ec2c-410f-924f-4ee8a7cd028e"
            ]
        }
    ]
}

数据处理

数据加工相关

管理权限:对所有数据加工任务具备管理权限

所有日志主题的“数据加工任务”的管理权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeDataTransformPreviewDataInfo",
                "cls:DescribeTopics",
                "cls:DescribeIndex",
                "cls:CreateDataTransform"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeFunctions",
                "cls:CheckFunction",
                "cls:DescribeDataTransformFailLogInfo",
                "cls:DescribeDataTransformInfo",
                "cls:DescribeDataTransformPreviewInfo",
                "cls:DescribeDataTransformProcessInfo",
                "cls:DeleteDataTransform",
                "cls:ModifyDataTransform"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

只读权限:对所有数据加工任务具备只读权限

所有日志主题的“数据加工任务”的只读权限。由于仅是查看,所以不需要对 DSL 函数进行授权。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:DescribeDataTransformFailLogInfo",
                "cls:DescribeDataTransformInfo",
                "cls:DescribeDataTransformPreviewDataInfo",
                "cls:DescribeDataTransformPreviewInfo",
                "cls:DescribeDataTransformProcessInfo"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

定时 SQL 分析相关

管理权限:对所有日志主题具备定时 SQL 分析的权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:CreateScheduledSql",
                "cls:SearchLog",
                "cls:DescribeScheduledSqlInfo",
                "cls:DescribeScheduledSqlProcessInfo",
                "cls:DeleteScheduledSql",
                "cls:ModifyScheduledSql",
                "cls:RetryScheduledSqlTask"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

管理权限:对指定标签日志主题具备定时 SQL 分析的权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:SearchLog",
                "cls:DescribeScheduledSqlProcessInfo",
                "cls:CreateScheduledSql",
                "cls:DeleteScheduledSql",
                "cls:ModifyScheduledSql",
                "cls:RetryScheduledSqlTask"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cls:DescribeScheduledSqlInfo"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

数据投递/消费相关

投递 CKafka

管理权限:对所有日志主题具备投递 CKafka 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CreateConsumer",
                "cls:ModifyConsumer",
                "cls:DeleteConsumer",
                "cls:DescribeConsumer",
                "cls:DescribeConsumerPreview"
                
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList",
                "ckafka:DescribeInstances",
                "ckafka:DescribeTopic",
                "ckafka:DescribeInstanceAttributes",
                "ckafka:CreateToken",
                "ckafka:AuthorizeToken"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签日志主题具备投递 CKafka 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CreateConsumer",
                "cls:ModifyConsumer",
                "cls:DeleteConsumer",
                "cls:DescribeConsumer",
                "cls:DescribeConsumerPreview"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "age&13",
                        "name&vinson"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList",
                "ckafka:DescribeInstances",
                "ckafka:DescribeTopic",
                "ckafka:DescribeInstanceAttributes",
                "ckafka:CreateToken",
                "ckafka:AuthorizeToken"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对所有日志主题具备投递 CKafka 只读权限

具备所有日志主题投递 CKafka 的只读权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:DescribeConsumer",
                "cls:DescribeConsumerPreview"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "ckafka:DescribeInstances",
                "ckafka:DescribeTopic",
                "ckafka:DescribeInstanceAttributes",
                "ckafka:CreateToken",
                "ckafka:AuthorizeToken"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签日志主题具备投递 CKafka 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:DescribeConsumer",
                "cls:DescribeConsumerPreview"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "ckafka:DescribeInstances",
                "ckafka:DescribeTopic",
                "ckafka:DescribeInstanceAttributes",
                "ckafka:CreateToken",
                "ckafka:AuthorizeToken"
            ],
            "resource": "*"
        }
    ]
}

投递 COS

管理权限:对所有日志主题具备投递 COS 管理权限

具备所有日志主题投递 COS 的管理权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:DescribeIndex",
                "cls:CreateShipper"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues", 
                "cls:ModifyShipper",
                "cls:DescribeShippers",
                "cls:DeleteShipper",
                "cls:DescribeShipperTasks",
                "cls:RetryShipperTask",
                "cls:DescribeShipperPreview",
                "cos:GetService",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签日志主题具备投递 COS 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:DescribeIndex",
                "cls:CreateShipper"
            ],
            "resource": "*", 
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:ModifyShipper",
                "cls:DescribeShippers",
                "cls:DeleteShipper",
                "cls:DescribeShipperTasks",
                "cls:RetryShipperTask",
                "cls:DescribeShipperPreview",
                "cos:GetService",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对所有日志主题具备投递 COS 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets" ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:DescribeShippers",
                "cls:DescribeShipperTasks",
                "cls:RetryShipperTask",
                "cls:DescribeShipperPreview",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签日志主题具备投递 COS 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:DescribeShippers",
                "cls:DescribeShipperTasks",
                "cls:RetryShipperTask",
                "cls:DescribeShipperPreview",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": "*"
        }
    ]
}

投递 DLC

管理权限:对所有日志主题具备投递 DLC 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CreateDlcDeliver",
                "cls:ModifyDlcDeliver",
                "cls:DescribeDlcDelivers",
                "cls:DeleteDlcDeliver"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues", 
                "dlc:DescribeDatabases",
                "dlc:DescribeOptimizedTables",
                "dlc:DescribeDatasourceConnection",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签日志主题具备投递 DLC 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CreateDlcDeliver",
                "cls:ModifyDlcDeliver",
                "cls:DescribeDlcDelivers",
                "cls:DeleteDlcDeliver"
            ],
            "resource": "*", 
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues", 
                "dlc:DescribeDatabases",
                "dlc:DescribeOptimizedTables",
                "dlc:DescribeDatasourceConnection",
                "cam:ListAttachedRolePolicies",
                "cam:AttachRolePolicy",
                "cam:CreateRole",
                "cam:DescribeRoleList"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对所有日志主题具备投递 DLC 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets" ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:DescribeDlcDelivers",
                "dlc:DescribeDatabases",
                "dlc:DescribeOptimizedTables",
                "dlc:DescribeDatasourceConnection",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签日志主题具备投递 DLC 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cls:DescribeDlcDelivers",
                "dlc:DescribeDatabases",
                "dlc:DescribeOptimizedTables",
                "dlc:DescribeDatasourceConnection",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": "*"
        }
    ]
}

投递 Splunk

管理权限:对所有日志主题具备投递 Splunk 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CheckSplunkConnect",
                "cls:DescribeSplunkPreview",
                "cls:CreateSplunkDeliver",
                "cls:ModifySplunkDeliver",
                "cls:DescribeSplunkDelivers",               
                "cls:DeleteSplunkDeliver"    
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签日志主题具备投递 Splunk 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CheckSplunkConnect",
                "cls:DescribeSplunkPreview",
                "cls:CreateSplunkDeliver",
                "cls:ModifySplunkDeliver",
                "cls:DescribeSplunkDelivers",               
                "cls:DeleteSplunkDeliver" 
            ],
            "resource": "*", 
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues", 
            ],
            "resource": "*"
        }
    ]
}

只读权限:对所有日志主题具备投递 Splunk 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                 "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CheckSplunkConnect",
                "cls:DescribeSplunkPreview",
                "cls:DescribeSplunkDelivers"               
                 ],
            "resource": "*"
        }        
    ]
}

只读权限:对指定标签日志主题具备投递 Splunk 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets",
                "cls:CheckSplunkConnect",
                "cls:DescribeSplunkPreview",
                "cls:DescribeSplunkDelivers"     
                ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
            ],
            "resource": "*"
        }
    ]
}

投递 SCF

管理权限:对所有日志主题具备投递 SCF 管理权限

具备所有日志主题投递 SCF 的管理权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cls:CreateDeliverFunction",
                "cls:DeleteDeliverFunction",
                "cls:ModifyDeliverFunction",
                "cls:GetDeliverFunction",
                "scf:ListFunctions",
                "scf:ListAliases",
                "scf:ListVersionByFunction"
            ],
            "resource": "*"
        }
    ]
}

管理权限:对指定标签日志主题具备投递 SCF 管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cls:CreateDeliverFunction",
                "cls:DeleteDeliverFunction",
                "cls:ModifyDeliverFunction",
                "cls:GetDeliverFunction",
                "scf:ListFunctions",
                "scf:ListAliases",
                "scf:ListVersionByFunction"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对所有日志主题具备投递 SCF 只读权限

具备所有日志主题投递 SCF 的只读权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"
            ],
            "resource": "*"
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cls:GetDeliverFunction",
                "scf:ListFunctions",
                "scf:ListAliases",
                "scf:ListVersionByFunction"
            ],
            "resource": "*"
        }
    ]
}

只读权限:对指定标签日志主题具备投递 SCF 只读权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeTopics",
                "cls:DescribeLogsets"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies",
                "cls:GetDeliverFunction",
                "scf:ListFunctions",
                "scf:ListAliases",
                "scf:ListVersionByFunction"
            ],
            "resource": "*"
        }
    ]
}

Kafka 协议消费

管理权限:对所有日志主题具备 Kafka 协议消费权限

具备所有日志主题 Kafka 协议消费权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeKafkaConsumer",
                "cls:CloseKafkaConsumer",
                "cls:ModifyKafkaConsumer",
                "cls:OpenKafkaConsumer"
            ],
            "resource": [
                "*"]
     },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

管理权限:对指定标签日志主题具备 Kafka 协议消费权限

具备指定标签日志主题 Kafka 协议消费的管理权限。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeKafkaConsumer",
                "cls:CloseKafkaConsumer",
                "cls:ModifyKafkaConsumer",
                "cls:OpenKafkaConsumer"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        },
        {
            "effect": "allow",
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

管理权限:对指定资源具备 Kafka 协议消费权限

{
    "statement": [
        {
            "action": [
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cls:DescribeKafkaConsumer",
                "cls:CloseKafkaConsumer",
                "cls:ModifyKafkaConsumer",
                "cls:OpenKafkaConsumer"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cls:ap-chengdu:100001127XXX:logset/axxxxxx-772e-4971-ad9a-ddcfcfff691b",
                "qcs::cls:ap-chengdu:100001127XXX:topic/590xxxxxxx-36c4-447b-a84f-172ee7340b22"
            ]
        },
        {
            "action": [
                "tag:DescribeResourceTagsByResourceIds",
                "tag:DescribeTagKeys",
                "tag:DescribeTagValues",
                "cam:ListAttachedRolePolicies"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

Kafka 协议消费权限最小权限(非控制台,调用 API)

{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "cls:OpenKafkaConsumer"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ]
}

指标投递

管理权限:对所有指标主题具备投递管理权限

{
    "statement": [
        {
            "action": [
                "cls:DescribeRemoteWriteTask",
                "cls:DescribeTopics",
                "cls:CreateRemoteWriteTask",
                "cls:ModifyRemoteWriteTask",
                "cls:DescribeLogsets",
                "cls:DeleteRemoteWriteTask",
                "cls:CheckRemoteWriteTaskConnect"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

管理权限:对指定标签的指标主题具备投递管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:DescribeRemoteWriteTask",
                "cls:DescribeTopics",
                "cls:CreateRemoteWriteTask",
                "cls:ModifyRemoteWriteTask",
                "cls:DescribeLogsets",
                "cls:DeleteRemoteWriteTask",
                "cls:CheckRemoteWriteTaskConnect"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "string_equal": {
                    "qcs:resource_tag": "key:value"
                }
            }
        }
    ]
}

自定义消费

管理权限:对所有日志主题具备自定义消费管理权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateConsumerGroup",
                "cls:ModifyConsumerGroup",
                "cls:DescribeConsumerGroups",
                "cls:DeleteConsumerGroup",
                "cls:DescribeConsumerOffsets",
                "cls:CommitConsumerOffsets",
                "cls:SendConsumerHeartbeat",
                "cls:pullLog"
            ],
            "resource": [
                "*"]
     }
    ]
}

DataSight 管理权限

管理权限:对所有 DataSight 独立控制台具备管理权限

用户可以在腾讯云控制台上创建、修改、查看、删除 DataSight 控制台。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateConsole",
                "cls:DeleteConsole",
                "cls:DescribeConsoles",
                "vpc:DescribeSubnetEx",
                "vpc:DescribeVpcEx",
                "cls:ModifyConsole"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

管理权限:对指定 DataSight 独立控制台具备管理权限

用户可以在腾讯云控制台上创建、修改、查看、删除指定 DataSight 控制台。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateConsole",
                "cls:DeleteConsole",
                "cls:DescribeConsoles",
                "vpc:DescribeSubnetEx",
                "vpc:DescribeVpcEx",
                "cls:ModifyConsole"
            ],
            "resource": [
                "qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"
            ]
        }
    ]
}

管理权限:对指定标签的 DataSight 独立控制台具备管理权限

用户可以在腾讯云控制台上创建、修改、查看、删除指定标签的 DataSight 控制台。
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:CreateConsole",
                "cls:DeleteConsole",
                "cls:DescribeConsoles",
                "vpc:DescribeSubnetEx",
                "vpc:DescribeVpcEx",
                "cls:ModifyConsole"
            ],
            "resource": [
                "*"
            ],
             "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ]
}

只读权限:对所有 DataSight 独立控制台具备只读权限

用户可以在腾讯云控制台上查看 DataSight 控制台的相关信息。
{
    "statement": [
        {
            "action": [
                "cls:DescribeConsoles"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

只读权限:对指定 DataSight 独立控制台具备只读权限

用户可以在腾讯云控制台上查看指定 DataSight 控制台的相关信息。
{
    "statement": [
        {
            "action": [
                "cls:DescribeConsoles"
            ],
            "effect": "allow",
            "resource": [
                "qcs::cls::uin/100******123:datasight/clsconsole-1234abcd"
            ]
        }
    ],
    "version": "2.0"
}

只读权限:对指定标签的 DataSight 独立控制台具备只读权限

用户可以在腾讯云控制台上查看指定标签的 DataSight 控制台的相关信息。
{
    "statement": [
        {
            "action": [
                "cls:DescribeConsoles"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ],
    "version": "2.0"
}

开发者相关

通过 Grafana 使用 CLS

通过 Grafana 展示所有主题的数据

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:MetricsSeries",
                "cls:MetricsQueryExemplars",
                "cls:MetricsLabelValues",
                "cls:MetricsQueryRange",
                "cls:MetricsLabels",
                "cls:MetricsQuery"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}

通过 Grafana 展示具备指定标签的主题的数据

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:SearchLog",
                "cls:DescribeTopics",
                "cls:MetricsSeries",
                "cls:MetricsQueryExemplars",
                "cls:MetricsLabelValues",
                "cls:MetricsQueryRange",
                "cls:MetricsLabels",
                "cls:MetricsQuery"
            ],
            "resource": [
                "*"
            ],
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "key&value"
                    ]
                }
            }
        }
    ]
}

上一篇: 可授权的资源类型下一篇: 使用临时密钥访问 CLS

帮助和支持

本页内容是否解决了您的问题?

填写满意度调查问卷,共创更好文档体验。

文档反馈