Manage Environment Ops Authing

When using the AutoMQ Cloud BYOC product, system logs, metrics, and other data are generated at the underlying level of the BYOC environment. The AutoMQ service provider requires the user to provide corresponding operational authorization for system stability monitoring and self-healing maintenance operations.

In this article, the terms AutoMQ product service provider, AutoMQ service provider, and AutoMQ specifically refer to AutoMQ HK Limited.

Authorization Principle

The operational authorization of AutoMQ includes two scenarios:

1. Scenario 1: System monitoring and alerts, requiring read permissions. During the operation of the AutoMQ Cloud BYOC environment, system logs, inspection logs, and system metrics data are generated by the environment console and the AutoMQ data plane cluster. This data is automatically uploaded to the operational bucket specified when the user creates the environment. The AutoMQ service provider needs the user’s cloud account to authorize read permissions for this operational bucket. This allows the AutoMQ operational platform to monitor the stability and perform self-healing of the user’s cluster.

2. Scenario 2: Subscription license dynamic updates and new version updates, requiring write permissions. When the subscription license of the AutoMQ BYOC environment triggers renewal, scaling, or new version releases, the control components within the environment need to perceive the new subscription information and the metadata of the new version. At this point, the AutoMQ service provider writes the new information to the operational bucket, and the environment console dynamically loads it.

The authorization operation is completed through the bucket authorization policy provided by the cloud provider’s object storage. The user, as the bucket owner, grants the AutoMQ service provider's cloud account the permission to read the specified operational bucket.

The details of the required read permissions are as follows:

Cloud Providers	AutoMQ Service Provider Cloud Account ID	Granted Permissions List
Alibaba Cloud	1431115939942888	Authorized Resource: Maintenance Bucket for the specified environment Authorized Operations: Read and write permissions for the bucket.
AWS	381492316447	Authorized Resource: Maintenance Bucket for the specified environment Authorized Operations: s3:GetObject s3:GetObjectVersion s3:GetObjectAcl s3:GetObjectTagging s3:GetObjectVersionAcl s3:GetObjectVersionTagging s3:ListBucket s3:ListBucketVersions s3:ListBucketMultipartUpload s3:PutObject
Huawei Cloud	2ef0b956b1524da8a0cdd6e11c65625f/*	Authorized Resource: Maintenance Bucket for the specified environment Authorized Operations: Read and write permissions for the bucket.
Tencent Cloud	100005712758	Authorized Resource: Maintenance Bucket for the specified environment Authorized Operations: Read and write (including List Object) permissions for the bucket.
GCP	automq-public-ops-authing@automq-public.iam.gserviceaccount.com	Storage Object User role

Environmental Maintenance Authorization Statement:

The maintenance bucket must be isolated from the data bucket and other application buckets used, storing only system logs and metrics data. It does not contain user business messages or other data, ensuring no data security risk.

Authorization Operation

Since the control panels of object storage products vary among different cloud providers, the steps for granting operation authorization also differ. Please refer to the documentation listed below for detailed steps:

• Set Ops Authing from Alibaba Cloud▸

• Set Ops Authing from AWS▸

• Set Ops Authing from Google Cloud▸

• Set Ops Authing from Tecent Cloud▸

• Set Ops Authing from Huawei Cloud▸