Skip to Main Content

Manage Environment Ops Authing

During the usage of the AutoMQ Cloud BYOC product, the BYOC environment will generate system logs, metrics, and other data at the underlying level. AutoMQ service providers require users to provide the necessary operational authorization to conduct system stability monitoring and fault self-healing operations.

In this article, references to AutoMQ product service providers, AutoMQ service providers, or AutoMQ specifically refer to AutoMQ HK Limited.

Authorization Principle

During the operation of the AutoMQ Cloud BYOC environment, system logs, inspection logs, and system metrics data will be generated by the environment console and the AutoMQ data plane cluster. This data will be automatically uploaded to the maintenance bucket specified by the user when the environment is created.

AutoMQ service providers need the user's cloud account authorization for read access to the maintenance bucket so that the AutoMQ operations platform can monitor the stability and perform fault self-healing on the user's cluster.

The authorization operation is completed through the bucket authorization policy provided by the cloud provider's object storage. The user, as the bucket owner, grants the AutoMQ service provider's cloud account read access to the specified maintenance bucket.

The detailed read permissions to be granted are as follows:

Cloud Provider
AutoMQ Service Provider Cloud Account ID
List of Granted Permissions
Alibaba Cloud
1431115939942888
  • Authorized Resources: Specified environment's maintenance Bucket
  • Authorized Operations:
    • oss:GetObject
    • oss:GetObjectAcl
    • oss:ListObjects
    • oss:RestoreObject
    • oss:GetVodPlaylist
    • oss:ListObjectVersions
    • oss:GetObjectVersion
    • oss:GetObjectVersionAcl
    • oss:RestoreObjectVersion

Maintenance Authorization Declaration:

AutoMQ service providers will only read data from the maintenance bucket and will not perform any write operations.

The maintenance bucket only stores system logs and metrics data, and does not contain any user business messages or other data, ensuring no data security risk.

Authorized Operations

Alibaba Cloud Environment Authorization

Alibaba Cloud OSS provides a web interface and simplified authorization templates, eliminating the need for users to write authorization policies themselves.

Operation Steps

Log in to the cloud account that owns the maintenance Bucket, or use a sub-account with authorized operational capabilities, and navigate to the OSS Console:

  1. Go to the Bucket list page and find the target Bucket. Users access the OSS Console, click on Bucket List in the left navigation bar to enter the list page. Search for the maintenance Bucket configured for the current environment and click on details.
  1. Go to the permissions control menu and find the Bucket authorization policy. Click on the Bucket authorization policy to open the new authorization form.

  1. Fill in the authorization information and create the Bucket authorization policy. Refer to the following instructions to fill in the corresponding authorization information, click confirm to complete the creation of the authorization policy.

    • Authorized Resource: Select the entire Bucket.

    • Resource Path: Check if it is the current maintenance Bucket.

    • Authorized User: Select another account and fill in the AutoMQ service provider cloud account ID above.

    • Authorized Operation: Choose simple settings and select read-only (including ListObject operation).