本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
傳送至 X-Ray 的追蹤
使用者許可
若要啟用傳送追蹤到 AWS X-Ray,您必須使用下列許可登入。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:111122223333:delivery-source:*",
"arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyXRay",
"Effect": "Allow",
"Action": [
"xray:PutResourcePolicy",
"xray:ListResourcePolicies",
"xray:GetTraceSegmentDestination"
],
"Resource": "*"
}
]
}
X-Ray 資源政策
正在傳送追蹤的目的地帳戶必須具有包含特定許可的資源政策。當設定追蹤的使用者在帳戶中具有 xray:PutResourcePolicy和 xray:ListResourcePolicies許可時,當您開始將追蹤傳送至 X-Ray 時 AWS , 會自動建立資源政策。建立的政策取決於來源服務 :
- Amazon Bedrock AgentCore 資源
-
AWS 會為每個資源類型建立一個資源政策。此政策使用範圍為帳戶界限的萬用字元模式,涵蓋帳戶中相同 Amazon Bedrock AgentCore 資源類型的所有資源。例如,如果啟用 Amazon Bedrock AgentCore 記憶體資源進行追蹤交付,政策會涵蓋該帳戶中的所有記憶體資源,包括未來建立的任何記憶體資源。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "xray:PutTraceSegments",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/*"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:*"
}
}
}
]
}
- AWS 其他服務
-
對於支援追蹤交付的其他 服務, AWS 會建立範圍限定於特定來源資源的資源政策。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "xray:PutTraceSegments",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/KnowledgeBaseId"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test"
}
}
}
]
}
啟用交易搜尋
若要啟用傳送追蹤到 X-Ray,您必須啟用交易搜尋。
