跟踪发送到 X-Ray
用户权限
要将跟踪发送到 AWS X-Ray,您必须使用以下权限登录。
- JSON
-
-
{ "Version":"2012-10-17", "Statement": [ { "Sid": "ReadWriteAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:GetDelivery", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:DeleteDeliverySource", "logs:PutDeliveryDestinationPolicy", "logs:CreateDelivery", "logs:GetDeliveryDestination", "logs:PutDeliverySource", "logs:DeleteDeliveryDestination", "logs:DeleteDeliveryDestinationPolicy", "logs:DeleteDelivery", "logs:UpdateDeliveryConfiguration" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:delivery:*", "arn:aws:logs:us-east-1:111122223333:delivery-source:*", "arn:aws:logs:us-east-1:111122223333:delivery-destination:*" ] }, { "Sid": "ListAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:DescribeDeliveryDestinations", "logs:DescribeDeliverySources", "logs:DescribeDeliveries", "logs:DescribeConfigurationTemplates" ], "Resource": "*" }, { "Sid": "AllowUpdatesToResourcePolicyXRay", "Effect": "Allow", "Action": [ "xray:PutResourcePolicy", "xray:ListResourcePolicies" ], "Resource": "*" } ] }
X-Ray 资源策略
接收跟踪的目标账户必须具有包含特定权限的资源策略。当 X-Ray 当前没有资源策略,并且设置跟踪的用户在账户中拥有 xray:PutResourcePolicy 和 xray:ListResourcePolicies 权限时,AWS 将在您开始向 X-Ray 发送跟踪时自动创建以下策略。
- JSON
-
-
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "xray:PutTraceSegments", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ForAllValues:ArnLike": { "logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/MemoryId" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test" } } } ] }
启用事务搜索
要将跟踪发送到 X-Ray,您必须启用事务搜索。
日志发送至 Firehose
服务特定的权限