tencent cloud

Feedback

CLS Service Role Authorization

Last updated: 2024-01-20 17:44:35

    Overview

    When creating shipping to COS/CKafka tasks, you need to grant the CLS service role the permissions to access COS/CKafka. If you perform operations in the console, the system will guide you through the authorization process. If you directly call APIs, manual authorization will be required. Before manual authorization, check whether the CLS service role has been authorized in the following steps.

    Checking CLS Authorization

    1. Log in to the CAM console, and select Role on the left sidebar.
    2. On the Role page, check whether you have the CLS_QcsRole role. You can use the search box in the top-right corner of the role list to search for the role.
    3. Click the role name to go to the role details page.
    Select the Permission tab to see if the role has the QcloudCOSAccessForCLSRole and QcloudCKAFKAAccessForCLSRole permissions.
    Select the Role Entity tab to see whether the role entity is cls.cloud.tencent.com. If there is no such role or permission, create one as instructed below.

    Directions

    Granting CLS access permissions

    You can use either of the following methods to grant CLS the permissions to ship logs to COS/CKafka:
    Automatic Creation via CLS Console
    Manual Creation via CAM Console
    If this is the first time you create a task to ship logs to COS/CKafka in the CLS console, follow the instructions in the console to create the required role and policies:
    1. In the pop-up window that reads This feature requires creating a service role, click Go to Cloud Access Management.
    2. On the Role Management page, click Grant.
    1. Log in to the CAM console, and select Role on the left sidebar.
    2. On the Role page, click Create Role.
    3. In the Select role entity dialog box, click Tencent Cloud Product Service.
    4. On the Create Custom Role page, perform the following operations:
    4.1 In the Enter role entity info step, select Cloud Log Service (cls) and click Next.
    4.2 In the Configure Role Policy step, use clsrole to search for data, select the QcloudCKAFKAAccessForCLSRole and QcloudCOSAccessForCLSRole policies in the search result, and click Next.
    4.3 In the Review step, enter the role name CLS_QcsRole and click Complete.
    At this point, you have authorized the CLS service role to access COS/CKafka. If you are using a root account, you can directly ship logs. If you are using a sub-account or collaborator account, you need to be authorized by the root account. For more information on granting permissions, see CAM Access Management. For more information on copying authorization policies, see Examples of Custom Access Policies.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support