View a markdown version of this page

跟踪发送到 X-Ray - Amazon CloudWatch 日志

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

跟踪发送到 X-Ray

用户权限

要启用向发送跟踪 AWS X-Ray,您必须使用以下权限登录。

JSON
{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteAccessForLogDeliveryActions",
            "Effect": "Allow",
              "Action": [
                "logs:GetDelivery",
                "logs:GetDeliverySource",
                "logs:PutDeliveryDestination",
                "logs:GetDeliveryDestinationPolicy",
                "logs:DeleteDeliverySource",
                "logs:PutDeliveryDestinationPolicy",
                "logs:CreateDelivery",
                "logs:GetDeliveryDestination",
                "logs:PutDeliverySource",
                "logs:DeleteDeliveryDestination",
                "logs:DeleteDeliveryDestinationPolicy",
                "logs:DeleteDelivery",
                "logs:UpdateDeliveryConfiguration"
            ],
            "Resource": [
            "arn:aws:logs:us-east-1:111122223333:delivery:*",
            "arn:aws:logs:us-east-1:111122223333:delivery-source:*",
            "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
            ]
        },
        {
            "Sid": "ListAccessForLogDeliveryActions",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeDeliveryDestinations",
                "logs:DescribeDeliverySources",
                "logs:DescribeDeliveries",
                "logs:DescribeConfigurationTemplates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowUpdatesToResourcePolicyXRay",
            "Effect": "Allow",
            "Action": [
                "xray:PutResourcePolicy",
                "xray:ListResourcePolicies",
                "xray:GetTraceSegmentDestination"
            ],
            "Resource": "*"
        }
    ]
}

X-Ray 资源策略

接收跟踪的目标账户必须具有包含特定权限的资源策略。当设置跟踪的用户在账户中拥有xray:PutResourcePolicyxray:ListResourcePolicies权限时,当您开始向 X-Ray 发送跟踪时, AWS 会自动创建资源策略。创建的策略取决于源服务:

Amazon Bedrock AgentCore resources

AWS 为每种资源类型创建一个资源策略。该政策使用范围限于账户边界的通配符模式,涵盖账户中相同 Amazon Bedrock AgentCore 资源类型的所有资源。例如,如果启用了Amazon Bedrock AgentCore内存资源以进行跟踪传输,则该策略将涵盖该账户中的所有内存资源,包括将来创建的任何内存资源。

JSON
{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "xray:PutTraceSegments",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        },
        "ForAllValues:ArnLike": {
          "logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/*"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:*"
        }
      }
    }
  ]
}
其他 AWS 服务

对于支持跟踪交付的其他服务,请 AWS 创建范围限于特定源资源的资源策略。

JSON
{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "xray:PutTraceSegments",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        },
        "ForAllValues:ArnLike": {
          "logs:LogGeneratingResourceArns": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/KnowledgeBaseId"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test"
        }
      }
    }
  ]
}

启用交易搜索

要将跟踪发送到 X-Ray,您必须启用事务搜索