本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 跟踪发送到 X-Ray **用户权限** 要启用向发送跟踪 AWS X-Ray,您必须使用以下权限登录。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReadWriteAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:GetDelivery", "logs:GetDeliverySource", "logs:PutDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:DeleteDeliverySource", "logs:PutDeliveryDestinationPolicy", "logs:CreateDelivery", "logs:GetDeliveryDestination", "logs:PutDeliverySource", "logs:DeleteDeliveryDestination", "logs:DeleteDeliveryDestinationPolicy", "logs:DeleteDelivery", "logs:UpdateDeliveryConfiguration" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:delivery:*", "arn:aws:logs:us-east-1:111122223333:delivery-source:*", "arn:aws:logs:us-east-1:111122223333:delivery-destination:*" ] }, { "Sid": "ListAccessForLogDeliveryActions", "Effect": "Allow", "Action": [ "logs:DescribeDeliveryDestinations", "logs:DescribeDeliverySources", "logs:DescribeDeliveries", "logs:DescribeConfigurationTemplates" ], "Resource": "*" }, { "Sid": "AllowUpdatesToResourcePolicyXRay", "Effect": "Allow", "Action": [ "xray:PutResourcePolicy", "xray:ListResourcePolicies", "xray:GetTraceSegmentDestination" ], "Resource": "*" } ] } ``` ------ **X-Ray 资源策略** 接收跟踪的目标账户必须具有包含特定权限的资源策略。当设置跟踪的用户在账户中拥有`xray:PutResourcePolicy`和`xray:ListResourcePolicies`权限时,当您开始向 X-Ray 发送跟踪时, AWS 会自动创建资源策略。创建的策略取决于源服务: **Amazon Bedrock AgentCore resources** AWS 为每种资源类型创建一个资源策略。该政策使用范围限于账户边界的通配符模式,涵盖账户中相同 Amazon Bedrock AgentCore 资源类型的所有资源。例如,如果启用了*Amazon Bedrock AgentCore内存*资源以进行跟踪传输,则该策略将涵盖该账户中的所有内存资源,包括将来创建的任何内存资源。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "xray:PutTraceSegments", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ForAllValues:ArnLike": { "logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/*" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:*" } } } ] } ``` **其他 AWS 服务** 对于支持跟踪交付的其他服务,请 AWS 创建范围限于特定源资源的资源策略。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "xray:PutTraceSegments", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ForAllValues:ArnLike": { "logs:LogGeneratingResourceArns": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/KnowledgeBaseId" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test" } } } ] } ``` **启用交易搜索** 要将跟踪发送到 X-Ray,您必须启用[事务搜索](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Enable-Lambda-TransactionSearch.html)。