本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 集成所需的权限
<a name="OpenSearch-Dashboards-CreateRole"></a>

如果您创建 IAM 角色供集成使用，则该角色必须包含以下权限和信任策略，而不是允许 L CloudWatch ogs 创建角色。有关如何创建 IAM 角色的更多信息，请参阅[创建角色以向 AWS 服务委派权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)。

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "CloudWatchLogsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:StartQuery",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "CloudWatchLogsDescribeLogGroupsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    },
    {
        "Sid": "AmazonOpenSearchCollectionAccess",
        "Effect": "Allow",
        "Action": [
            "aoss:APIAccessAll"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "aoss:collection": "cloudwatch-logs-*"
            }
        }
    }
  ]
}
```

------

**注意**  
之前的角色授予读取账户中所有日志组的权限，使您能够为任何日志账户（包括跨账户日志组）创建控制面板。如果您希望限制对特定日志组的访问，并仅为这些日志组创建控制面板，则可以将该策略中的第一条语句更新为以下内容：  

```
{
      "Sid": "CloudWatchLogsAccess",
      "Effect": "Allow",
      "Action": [
        "logs:StartQuery",
        "logs:GetLogGroupFields",
        "logs:GetQueryResults"
      ],
      "Resource": [
        "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*",
        "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup"
      ]
}
```