Overview
When the CKafka connector is used to access services like CLS and COS, users need to grant the connector permissions to access these services under their accounts. If the CKafka sub-account has the CAM policy permissions (QcloudCamRoleFullAccess), select Role Authorization when a CKafka task is created, and the connector will automatically complete the authorization for you. Otherwise, a user with AdministratorAccess need to grant the necessary permissions before a connector task is created through the sub-account.
List of Services Requiring Authorization
|
Cloud Log Service (CLS) | Datahub_QcsRole | QcloudCLSFullAccess |
Cloud Object Storage (COS) | Datahub_QcsRole | QcloudCOSFullAccess |
Authorization Steps
If the sub-account creating the connector task does not have the CAM policy permissions (QcloudCamRoleFullAccess), you may encounter prompts about missing CreateRole or AttachRolePolicy permissions. If your account does not yet have the Datahub_QcsRole role, see Creating Role for authorization instructions. If the account has the Datahub_QcsRole role, see Authorizing Role for authorization instructions. Creating a Role
1. If you encounter a prompt about missing CreateRole policy permissions, a user with AdministratorAccess is required to go to the CAM console, enter the role page, and click Create Role.
2. On the Select Role Entity page, select Tencent Cloud product service:
3. Proceed to the Enter Role Entity Information step, and select **Message Service (ckafka)**:
4. In the Configure Role Policy step, select the policy corresponding to the service that the connector task needs to access. Here, the policies for CLS and COS are selected:
5. In the Configure Role Tag step, you can configure the appropriate tags for the role, but this step can be skipped.
6. In the Review step, name the role as Datahub_QcsRole:
7. Once the role is successfully created, the sub-account can proceed with creating the corresponding connector tasks.
Authorize the Role
1. If you encounter a prompt about missing AttachRolePolicy policy permissions, a user with AdministratorAccess needs to go to the CAM console, enter the role page, and find the role corresponding to the service. Here, the Datahub_QcsRole role is taken as an example.
2. Click the role name to enter the role management details page. In the permissions section, click Associate Policy:
3. Find the policy related to the service you need to authorize. Here, take the CLS service as an example, click Confirm to complete the authorization:
4. Once the role has the permissions to access the respective service, the sub-account can successfully create the corresponding connector tasks.
Was this page helpful?