- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Collection Overview
- Collecting Logs in Self-Built Kubernetes Cluster
- Collecting Syslog
- Collection by LogListener
- Collecting Text Log
- Uploading Log over Kafka
- Uploading Logs via Anonymous Write
- Uploading Logs via Logback Appender
- Uploading Logs via Log4j Appender
- Uploading Log via SDK
- Uploading Log via API
- Importing Data
- Tencent Cloud Service Log Access
- Log Storage
- Search and Analysis
- Syntax and Rules
- Statistical Analysis (SQL)
- Quick Analysis
- SQL Syntax
- SQL Functions
- String Function
- Date and Time Functions
- IP Geographic Function
- URL Function
- Mathematical Calculation Functions
- Mathematical Statistical Function
- General Aggregate Function
- Geospatial Function
- Binary String Function
- Estimation Function
- Type Conversion Function
- Logical Function
- Operators
- Bitwise Operation
- Regular Expression Function
- Lambda Function
- Conditional Expressions
- Array Functions
- Interval-Valued Comparison and Periodicity-Valued Comparison Functions
- JSON Functions
- Window Functions
- Sampling Analysis
- Configuring Indexes
- Reindexing
- Context Search and Analysis
- Downloading Log
- Dashboard
- Data Processing documents
- Data Processing
- Creating Processing Task
- Viewing Data Processing Details
- Data Processing Functions
- Function Overview
- Key-Value Extraction Functions
- Enrichment Functions
- Flow Control
- Row Processing Functions
- Field Processing Functions
- Value Structuring Functions
- Regular Expression Processing Functions
- Time Value Processing Functions
- String Processing Functions
- Type Conversion Functions
- Logical and Mathematical Functions
- Encoding and Decoding Functions
- IP Parsing Functions
- Processing Cases
- Scheduled SQL Analysis
- SCF
- Data Processing
- Shipping and Consumption
- Monitoring Alarm
- Historical Documentation
- Best Practices
- Developer Guide
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Topic Management APIs
- Log Set Management APIs
- Index APIs
- Topic Partition APIs
- Machine Group APIs
- Collection Configuration APIs
- Log APIs
- Metric APIs
- Alarm Policy APIs
- Data Processing APIs
- Kafka Protocol Consumption APIs
- CKafka Shipping Task APIs
- Kafka Data Subscription APIs
- COS Shipping Task APIs
- SCF Delivery Task APIs
- Scheduled SQL Analysis APIs
- COS Data Import Task APIs
- Data Types
- Error Codes
- FAQs
- CLS Service Level Agreement
- CLS Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Resource Management
- Permission Management
- Log Collection
- Collection Overview
- Collecting Logs in Self-Built Kubernetes Cluster
- Collecting Syslog
- Collection by LogListener
- Collecting Text Log
- Uploading Log over Kafka
- Uploading Logs via Anonymous Write
- Uploading Logs via Logback Appender
- Uploading Logs via Log4j Appender
- Uploading Log via SDK
- Uploading Log via API
- Importing Data
- Tencent Cloud Service Log Access
- Log Storage
- Search and Analysis
- Syntax and Rules
- Statistical Analysis (SQL)
- Quick Analysis
- SQL Syntax
- SQL Functions
- String Function
- Date and Time Functions
- IP Geographic Function
- URL Function
- Mathematical Calculation Functions
- Mathematical Statistical Function
- General Aggregate Function
- Geospatial Function
- Binary String Function
- Estimation Function
- Type Conversion Function
- Logical Function
- Operators
- Bitwise Operation
- Regular Expression Function
- Lambda Function
- Conditional Expressions
- Array Functions
- Interval-Valued Comparison and Periodicity-Valued Comparison Functions
- JSON Functions
- Window Functions
- Sampling Analysis
- Configuring Indexes
- Reindexing
- Context Search and Analysis
- Downloading Log
- Dashboard
- Data Processing documents
- Data Processing
- Creating Processing Task
- Viewing Data Processing Details
- Data Processing Functions
- Function Overview
- Key-Value Extraction Functions
- Enrichment Functions
- Flow Control
- Row Processing Functions
- Field Processing Functions
- Value Structuring Functions
- Regular Expression Processing Functions
- Time Value Processing Functions
- String Processing Functions
- Type Conversion Functions
- Logical and Mathematical Functions
- Encoding and Decoding Functions
- IP Parsing Functions
- Processing Cases
- Scheduled SQL Analysis
- SCF
- Data Processing
- Shipping and Consumption
- Monitoring Alarm
- Historical Documentation
- Best Practices
- Developer Guide
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Topic Management APIs
- Log Set Management APIs
- Index APIs
- Topic Partition APIs
- Machine Group APIs
- Collection Configuration APIs
- Log APIs
- Metric APIs
- Alarm Policy APIs
- Data Processing APIs
- Kafka Protocol Consumption APIs
- CKafka Shipping Task APIs
- Kafka Data Subscription APIs
- COS Shipping Task APIs
- SCF Delivery Task APIs
- Scheduled SQL Analysis APIs
- COS Data Import Task APIs
- Data Types
- Error Codes
- FAQs
- CLS Service Level Agreement
- CLS Policy
- Contact Us
- Glossary
Permission Description
Last updated: 2024-01-20 17:44:35
To enable CLS to ship logs to Cloud Object Storage (COS) or CKafka, you need to grant CLS the COS or CKafka write permission. That is, you need to grant the
QcloudCOSAccessForCLSRole or QcloudCKAFKAAccessForCLSRole policy permission to the unique service role CLS_QcsRole of CLS.This document describes how to grant collaborators or sub-accounts the permission to configure shipping tasks.
Granting Permissions in the Console
To enable collaborators or sub-accounts to configure a shipping task in the CLS console, you need to use the root account to grant them the necessary permissions as shown below:
Permission | Description | Use Case |
CLS preset policy: QcloudCLSFullAccess | The permission for collaborator or sub-account to operate CLS | The collaborator or sub-account must be authorized to operate CLS and configure shipping tasks |
CAM preset policy: QcloudCamSubaccountsAuthorizeRoleFullAccess | The permission for collaborator or sub-account to authorize the service role | When shipping logs to COS or CKafka, the collaborator or sub-account needs to confirm that the role is authorized with the CLS write permission to COS or CKafka, i.e., grant the service role CLS_QcsRole the policy permission QcloudCOSAccessForCLSRole or QcloudCKAFKAAccessForCLSRole |
COS API permission: GetService (or preset policy: QcloudCOSReadOnlyAccess) | The permission for collaborator or sub-account to obtain the COS bucket lists | To configure a task for shipping to COS in the CLS console, the collaborator or sub-account needs to obtain the COS bucket list, and then selects the destination bucket |
CKafka API permission: ListInstance, ListTopic (or preset policy: QcloudCkafkaReadOnlyAccess) | The permission for collaborator or sub-account to obtain CKafka resource list | To configure a task for shipping to CKafka in the CLS console, the collaborator or sub-account needs to obtain the CKafka resource list, and then selects the target CKafka instance topic |
Authorization by root account
1. Log in to the CAM console with the root account and choose Users > User List on the left sidebar.
2. On the User List page, click the target username to go to the user details page.
3. On the user details page, select Associate Policy.
4. In the User Permissions step on the Add Policy page, click Select policies from the policy list.
5. Select the preset policies, including
QcloudCLSFullAccess, QcloudCamSubaccountsAuthorizeRoleFullAccess, QcloudCOSReadOnlyAccess, or QcloudCkafkaReadOnlyAccess, for the collaborator or sub-account.Note:
The root account must complete the authorization process. Otherwise, the collaborator or sub-account cannot configure shipping tasks properly.
6. Click Next.
7. Confirm the configuration in the Review step and click OK.
Yes
No
Was this page helpful?