您可以授予Log Service應用(例如日誌審計服務、EBS Lens等)使用SLSLog Service關聯角色(AliyunServiceRoleForSLSAudit)來擷取其他雲端服務中的資源。本文介紹AliyunServiceRoleForSLSAudit角色的應用情境和權限原則。
應用情境
當您在Log Service應用(例如日誌審計服務、EBS Lens等)中進行日誌採集時,Log Service會調用相關雲產品的OpenAPI介面擷取採集帳號下的雲產品資訊。此過程中,Log Service需要通過AliyunServiceRoleForSLSAudit角色擷取雲產品的部分讀取及日誌採集相關的部分修改許可權。更多資訊,請參見服務關聯角色。
AliyunServiceRoleForSLSAudit角色說明
說明 您在開通Log Service時,自動建立AliyunServiceRoleForSLSAudit角色。
- 角色名稱:AliyunServiceRoleForSLSAudit
- 角色權限原則:AliyunServiceRolePolicyForSLSAudit
- 許可權說明:
{ "Version": "1", "Statement": [ { "Action": [ "resourcemanager:ListAccounts", "resourcemanager:GetAccount", "resourcemanager:GetResourceDirectory", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAccountsForParent", "rds:DescribeRegions", "rds:DescribeSqlLogInstances", "rds:DescribeDBInstanceAttribute", "rds:ListTagResources", "rds:DisableSqlLogDistribution", "rds:EnableSqlLogDistribution", "rds:ModifySQLCollectorPolicy", "rds:DescribeSQLCollectorRetention", "polardb:DescribeRegions", "polardb:DescribeDBClusters", "polardb:DescribeSqlLogClusters", "polardb:ModifyDBClusterAuditLogCollector", "polardb:DescribeDBClusterAttribute", "polardb:DescribeSQLExplorerRetention", "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeRedisLogConfig", "kvstore:ModifyAuditLogConfig", "kvstore:DescribeInstanceAttribute", "kvstore:DescribeEngineVersion", "kvstore:InitializeKvstorePermission", "drds:DescribeDrdsInstances", "drds:DescribeDrdsDBs", "drds:EnableSqlAuditExtraWrite", "drds:DisableSqlAuditExtraWrite", "drds:DescribeDrdsRegions", "drds:DescribeDrdsSqlAuditStatus", "slb:DescribeRegions", "slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:SetAccessLogsDownloadAttribute", "slb:DeleteAccessLogsDownloadAttribute", "slb:DescribeAccessLogsDownloadAttribute", "slb:ListTagResources", "alb:DescribeRegions", "alb:ListLoadBalancers", "alb:EnableLoadBalancerAccessLog", "alb:DisableLoadBalancerAccessLog", "alb:GetLoadBalancerAttribute", "cs:GetClustersByUid", "cs:GetClusters", "kms:DescribeKeyStores", "oss:GetBucketInfo", "oss:ListBuckets", "oss:GetBucketTagging", "oss:GetBucketWorm", "oss:GetBucketLifecycle", "oss:GetBucketReferer", "ecs:DescribeDisks", "ecs:DescribeSnapshots", "ecs:DescribeRegions", "ecs:DescribeInstances", "mse:GetGateway", "cen:ListTransitRouters", "cen:ListTransitRouterPeerAttachments", "cen:ListTransitRouterVbrAttachments", "vpc:DescribeVpcs", "vpc:GetNatGatewayAttribute", "vpc:DescribeNatGateways", "vpc:DescribeRegions", "hbase:DescribeInstance", "lindorm:GetLindormInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oos:StartExecution", "oos:ListExecutions" ], "Resource": [ "acs:oos:*:*:template/ACS-LOG-BulkyInstallLogtail", "acs:oos:*:*:execution/*" ], "Effect": "Allow" }, { "Action": [ "ecs:InvokeCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/cmd-ACS-LOG-InstallLogtail-*" ], "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:CreateJob", "log:UpdateJob", "log:ListShards", "log:GetCursorOrData", "log:GetConsumerGroupCheckPoint", "log:UpdateConsumerGroup", "log:ConsumerGroupHeartBeat", "log:ConsumerGroupUpdateCheckPoint", "log:ListConsumerGroup", "log:CreateConsumerGroup", "log:GetLogging", "log:CreateLogging", "log:UpdateLogging", "log:DeleteLogging", "log:PostProjectQuery", "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetMachineGroup", "log:ListMachineGroup" ], "Resource": [ "acs:log:*:*:project/*" ], "Effect": "Allow" }, { "Action": [ "log:GetApp", "log:UpdateApp", "log:CreateApp" ], "Resource": [ "acs:log:*:*:app/audit" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "r-kvstore.aliyuncs.com", "logdelivery.alb.aliyuncs.com" ] } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com" } } } ] }