您可以授予日志服务应用(例如日志审计服务、EBS Lens等)使用SLS日志服务关联角色(AliyunServiceRoleForSLSAudit)来获取其他云服务中的资源。本文介绍AliyunServiceRoleForSLSAudit角色的应用场景和权限策略。
应用场景
当您在日志服务应用(例如日志审计服务、EBS Lens等)中进行日志采集时,日志服务会调用相关云产品的OpenAPI接口获取采集账号下的云产品信息。此过程中,日志服务需要通过AliyunServiceRoleForSLSAudit角色获取云产品的部分读取及日志采集相关的部分修改权限。更多信息,请参见服务关联角色。
AliyunServiceRoleForSLSAudit角色说明
说明 您在开通日志服务时,自动创建AliyunServiceRoleForSLSAudit角色。
- 角色名称:AliyunServiceRoleForSLSAudit
- 角色权限策略:AliyunServiceRolePolicyForSLSAudit
- 权限说明:
{ "Version": "1", "Statement": [ { "Action": [ "resourcemanager:ListAccounts", "resourcemanager:GetAccount", "resourcemanager:GetResourceDirectory", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAccountsForParent", "rds:DescribeRegions", "rds:DescribeSqlLogInstances", "rds:DescribeDBInstanceAttribute", "rds:ListTagResources", "rds:DisableSqlLogDistribution", "rds:EnableSqlLogDistribution", "rds:ModifySQLCollectorPolicy", "rds:DescribeSQLCollectorRetention", "polardb:DescribeRegions", "polardb:DescribeDBClusters", "polardb:DescribeSqlLogClusters", "polardb:ModifyDBClusterAuditLogCollector", "polardb:DescribeDBClusterAttribute", "polardb:DescribeSQLExplorerRetention", "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeRedisLogConfig", "kvstore:ModifyAuditLogConfig", "kvstore:DescribeInstanceAttribute", "kvstore:DescribeEngineVersion", "kvstore:InitializeKvstorePermission", "drds:DescribeDrdsInstances", "drds:DescribeDrdsDBs", "drds:EnableSqlAuditExtraWrite", "drds:DisableSqlAuditExtraWrite", "drds:DescribeDrdsRegions", "drds:DescribeDrdsSqlAuditStatus", "slb:DescribeRegions", "slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:SetAccessLogsDownloadAttribute", "slb:DeleteAccessLogsDownloadAttribute", "slb:DescribeAccessLogsDownloadAttribute", "slb:ListTagResources", "alb:DescribeRegions", "alb:ListLoadBalancers", "alb:EnableLoadBalancerAccessLog", "alb:DisableLoadBalancerAccessLog", "alb:GetLoadBalancerAttribute", "cs:GetClustersByUid", "cs:GetClusters", "kms:DescribeKeyStores", "oss:GetBucketInfo", "oss:ListBuckets", "oss:GetBucketTagging", "oss:GetBucketWorm", "oss:GetBucketLifecycle", "oss:GetBucketReferer", "ecs:DescribeDisks", "ecs:DescribeSnapshots", "ecs:DescribeRegions", "ecs:DescribeInstances", "mse:GetGateway", "cen:ListTransitRouters", "cen:ListTransitRouterPeerAttachments", "cen:ListTransitRouterVbrAttachments", "vpc:DescribeVpcs", "vpc:GetNatGatewayAttribute", "vpc:DescribeNatGateways", "vpc:DescribeRegions", "hbase:DescribeInstance", "lindorm:GetLindormInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oos:StartExecution", "oos:ListExecutions" ], "Resource": [ "acs:oos:*:*:template/ACS-LOG-BulkyInstallLogtail", "acs:oos:*:*:execution/*" ], "Effect": "Allow" }, { "Action": [ "ecs:InvokeCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/cmd-ACS-LOG-InstallLogtail-*" ], "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:CreateJob", "log:UpdateJob", "log:ListShards", "log:GetCursorOrData", "log:GetConsumerGroupCheckPoint", "log:UpdateConsumerGroup", "log:ConsumerGroupHeartBeat", "log:ConsumerGroupUpdateCheckPoint", "log:ListConsumerGroup", "log:CreateConsumerGroup", "log:GetLogging", "log:CreateLogging", "log:UpdateLogging", "log:DeleteLogging", "log:PostProjectQuery", "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetMachineGroup", "log:ListMachineGroup" ], "Resource": [ "acs:log:*:*:project/*" ], "Effect": "Allow" }, { "Action": [ "log:GetApp", "log:UpdateApp", "log:CreateApp" ], "Resource": [ "acs:log:*:*:app/audit" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "r-kvstore.aliyuncs.com", "logdelivery.alb.aliyuncs.com" ] } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com" } } } ] }
内容没看懂? 不太想学习?想快速解决? 有偿解决: 联系专家
阿里云企业补贴进行中: 马上申请
腾讯云限时活动1折起,即将结束: 马上收藏
同尘科技为腾讯云授权服务中心。
购买腾讯云产品享受折上折,更有现金返利:同意关联,立享优惠
转转请注明出处:https://www.yunxiaoer.com/163182.html
