您可以授予日志服務應用(例如日志審計服務、EBS Lens等)使用SLS日志服務關聯角色(AliyunServiceRoleForSLSAudit)來獲取其他云服務中的資源。本文介紹AliyunServiceRoleForSLSAudit角色的應用場景和權限策略。
應用場景
當您在日志服務應用(例如日志審計服務、EBS Lens等)中進行日志采集時,日志服務會調用相關云產品的OpenAPI接口獲取采集賬號下的云產品信息。此過程中,日志服務需要通過AliyunServiceRoleForSLSAudit角色獲取云產品的部分讀取及日志采集相關的部分修改權限。更多信息,請參見服務關聯角色。
AliyunServiceRoleForSLSAudit角色說明
說明 您在開通日志服務時,自動創建AliyunServiceRoleForSLSAudit角色。
- 角色名稱:AliyunServiceRoleForSLSAudit
- 角色權限策略:AliyunServiceRolePolicyForSLSAudit
- 權限說明:
{ "Version": "1", "Statement": [ { "Action": [ "resourcemanager:ListAccounts", "resourcemanager:GetAccount", "resourcemanager:GetResourceDirectory", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAccountsForParent", "rds:DescribeRegions", "rds:DescribeSqlLogInstances", "rds:DescribeDBInstanceAttribute", "rds:ListTagResources", "rds:DisableSqlLogDistribution", "rds:EnableSqlLogDistribution", "rds:ModifySQLCollectorPolicy", "rds:DescribeSQLCollectorRetention", "polardb:DescribeRegions", "polardb:DescribeDBClusters", "polardb:DescribeSqlLogClusters", "polardb:ModifyDBClusterAuditLogCollector", "polardb:DescribeDBClusterAttribute", "polardb:DescribeSQLExplorerRetention", "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeRedisLogConfig", "kvstore:ModifyAuditLogConfig", "kvstore:DescribeInstanceAttribute", "kvstore:DescribeEngineVersion", "kvstore:InitializeKvstorePermission", "drds:DescribeDrdsInstances", "drds:DescribeDrdsDBs", "drds:EnableSqlAuditExtraWrite", "drds:DisableSqlAuditExtraWrite", "drds:DescribeDrdsRegions", "drds:DescribeDrdsSqlAuditStatus", "slb:DescribeRegions", "slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:SetAccessLogsDownloadAttribute", "slb:DeleteAccessLogsDownloadAttribute", "slb:DescribeAccessLogsDownloadAttribute", "slb:ListTagResources", "alb:DescribeRegions", "alb:ListLoadBalancers", "alb:EnableLoadBalancerAccessLog", "alb:DisableLoadBalancerAccessLog", "alb:GetLoadBalancerAttribute", "cs:GetClustersByUid", "cs:GetClusters", "kms:DescribeKeyStores", "oss:GetBucketInfo", "oss:ListBuckets", "oss:GetBucketTagging", "oss:GetBucketWorm", "oss:GetBucketLifecycle", "oss:GetBucketReferer", "ecs:DescribeDisks", "ecs:DescribeSnapshots", "ecs:DescribeRegions", "ecs:DescribeInstances", "mse:GetGateway", "cen:ListTransitRouters", "cen:ListTransitRouterPeerAttachments", "cen:ListTransitRouterVbrAttachments", "vpc:DescribeVpcs", "vpc:GetNatGatewayAttribute", "vpc:DescribeNatGateways", "vpc:DescribeRegions", "hbase:DescribeInstance", "lindorm:GetLindormInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oos:StartExecution", "oos:ListExecutions" ], "Resource": [ "acs:oos:*:*:template/ACS-LOG-BulkyInstallLogtail", "acs:oos:*:*:execution/*" ], "Effect": "Allow" }, { "Action": [ "ecs:InvokeCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/cmd-ACS-LOG-InstallLogtail-*" ], "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:CreateJob", "log:UpdateJob", "log:ListShards", "log:GetCursorOrData", "log:GetConsumerGroupCheckPoint", "log:UpdateConsumerGroup", "log:ConsumerGroupHeartBeat", "log:ConsumerGroupUpdateCheckPoint", "log:ListConsumerGroup", "log:CreateConsumerGroup", "log:GetLogging", "log:CreateLogging", "log:UpdateLogging", "log:DeleteLogging", "log:PostProjectQuery", "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetMachineGroup", "log:ListMachineGroup" ], "Resource": [ "acs:log:*:*:project/*" ], "Effect": "Allow" }, { "Action": [ "log:GetApp", "log:UpdateApp", "log:CreateApp" ], "Resource": [ "acs:log:*:*:app/audit" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "r-kvstore.aliyuncs.com", "logdelivery.alb.aliyuncs.com" ] } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com" } } } ] }
文檔內容是否對您有幫助?