Identity and access management

BLS

  • Function Release Records
  • Product Description
    • Usage restrictions
    • Product Introduction
  • Product pricing
  • Quick Start
    • Introduction
    • Install agent
    • Create LogStore
    • Create Transmission Task
    • Log Analysis and Alerting
    • Create Delivery Task
  • Operation guide
    • Baidu Intelligent Cloud Environment Preparation
    • Overview
    • Identity and access management
    • Logset Management
    • Agent
      • Install Agent on Host
      • Install Agent in K8s Environment
      • Agent Management
      • Agent Release Version
      • Set Agent Startup Parameters
    • Log Collection
      • Transmission Task Collection
        • Create Transmission Task
        • Manage Transmission Task
      • Uploading Logs Using Kafka Protocol
    • Query analysis
      • Log query
      • SQL Syntax
      • Search Syntax
    • Dashboard
      • Overview
      • Management Dashboard
      • Management Dashboard Charts
    • Alarm management
      • Alert Overview
      • Alarm strategy
        • Management alarm strategy
        • Trigger conditions
      • Alarm history
      • Alert execution statistics
      • Alarm notification
        • Alarm Notification Template
        • Alarm callback
    • Data processing
      • Log Delivery
        • Log Delivery Overview
        • Create Delivery Task
        • Manage Delivery Task
      • Scheduled SQL Analysis
        • Manage Scheduled SQL Analysis Task
        • Create Scheduled SQL Analysis Task
      • Real-Time Consumption
      • Data processing
        • Data processing
          • Overview of data processing functions
          • Process control function
          • Mapping enrichment functions
          • Event operation functions
          • Field operation functions
          • Field value extraction functions
    • Log Applications
      • Intelligent Diagnostics
  • Best Practices
    • Use Year-Over-Year and Month-Over-Month as Alert Trigger Conditions
    • BLS Integration with Kibana
    • Use BLS via Grafana
  • Development Guide
    • API Reference
      • API function release records
      • API Overview
      • Interface Overview
      • General Description
      • Service domain
      • Common error codes
      • Terminology
      • Project Related APIs
        • Create Project
        • Update Project
        • Describe Project
        • Delete Project
        • List Project
      • LogStore Related APIs
        • Create LogStore
        • Update LogStore
        • Delete LogStore
        • Describe LogStore
        • Batch Get LogStore
        • List LogStore
      • LogStream Related APIs
        • List LogStream
      • LogRecord Related APIs
        • Push log PushLogRecord
        • Obtain logrecord PullLogRecord
        • Search analysis log QueryLogRecord
        • Histogram API QueryLogHistogram
      • Fast Query FastQuery Related Interfaces
        • Create Fast Query CreateFastQuery
        • Update Fast Query UpdateFastQuery
        • Delete Fast Query DeleteFastQuery
        • Get Fast Query Details DescribeFastQuery
        • Get Fast Query List ListFastQuery
      • Index Related APIs
        • Create Index
        • Update Index
        • Delete Index
        • Describe Index
      • Log Shipper LogShipper Related Interfaces
        • Create Log Shipper
        • Update Log Shipper
        • Set Single Log Shipper Status
        • Delete Single Log Shipper
        • Bulk Delete Log Shipper
        • List Log Shipper Records
        • List Log Shipper
        • Bulk Set Log Shipper Status
        • Get Log Shipper
      • Alarm-Related Interfaces
        • CreateAlarmPolicy
        • UpdateAlarmPolicy
        • DeleteAlarmPolicy
        • ValidateAlarmCondition
        • ValidateAlarmPolicySQL
        • EnableAlarmPolicy
        • DescribeAlarmRecord
        • DisableAlarmPolicy
        • DescribeAlarmPolicy
        • ListAlarmPolicy
        • ListAlarmRecord
        • ListAlarmExecutionStats
        • ListAlarmExecutions
      • LogStore Template-Related Interfaces
        • CreateLogStoreTemplate
        • UpdateLogStoreTemplate
        • DeleteLogStoreTemplates
        • DescribeLogStoreTemplates
        • DescribeLogStoreTemplate
      • Download Log Download Related Interfaces
        • Create Download Task CreateDownloadTask
        • Get Download Task List ListDownloadTask
        • Delete Download Task DeleteDownloadTask
        • Get Download Task Address GetDownloadTaskLink
        • Get Download Task Details DescribeDownloadTask
      • LogAlarm Related Interfaces
        • SetLogAlarmStatus
        • deleteLogAlarm
        • createLogAlarm
        • listLogAlarm
        • updateLogAlarm
        • BulkDeleteLogAlarm
        • PreviewAlarmLogRecord
        • getLogAlarm
        • BulkSetLogAlarmStatus
      • Transmission Task Related Interfaces
        • Create Task CreateTask
        • UpdateTask
      • Interfaces Compatible with Elasticsearch
        • ResolveIndex
        • FieldCaps
        • TermsEnum
        • AsyncSearch
    • SDK Reference
      • Go SDK
        • Overview
        • Initialization
        • Version Release Records
        • Project Operations
        • LogStore Operations
        • Install the SDK Package
        • LogStream Operations
        • LogRecord Operations
        • FastQuery Operations
        • LogShipper Operations
        • Index Operations
        • Download Task Operations
      • Java SDK
        • Overview
        • Install the SDK Package
        • LogRecord Operations
      • iOS SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android & iOS SDK Download
      • SDK Privacy Policy
      • SDK Developer Personal Information Protection Compliance Guide
    • Importing SLS Collection Configuration
  • FAQs
    • Common Questions Overview
    • Fault-related questions
    • Configuration-related questions
  • Log Service Level Agreement SLA
All documents
menu
No results found, please re-enter

BLS

  • Function Release Records
  • Product Description
    • Usage restrictions
    • Product Introduction
  • Product pricing
  • Quick Start
    • Introduction
    • Install agent
    • Create LogStore
    • Create Transmission Task
    • Log Analysis and Alerting
    • Create Delivery Task
  • Operation guide
    • Baidu Intelligent Cloud Environment Preparation
    • Overview
    • Identity and access management
    • Logset Management
    • Agent
      • Install Agent on Host
      • Install Agent in K8s Environment
      • Agent Management
      • Agent Release Version
      • Set Agent Startup Parameters
    • Log Collection
      • Transmission Task Collection
        • Create Transmission Task
        • Manage Transmission Task
      • Uploading Logs Using Kafka Protocol
    • Query analysis
      • Log query
      • SQL Syntax
      • Search Syntax
    • Dashboard
      • Overview
      • Management Dashboard
      • Management Dashboard Charts
    • Alarm management
      • Alert Overview
      • Alarm strategy
        • Management alarm strategy
        • Trigger conditions
      • Alarm history
      • Alert execution statistics
      • Alarm notification
        • Alarm Notification Template
        • Alarm callback
    • Data processing
      • Log Delivery
        • Log Delivery Overview
        • Create Delivery Task
        • Manage Delivery Task
      • Scheduled SQL Analysis
        • Manage Scheduled SQL Analysis Task
        • Create Scheduled SQL Analysis Task
      • Real-Time Consumption
      • Data processing
        • Data processing
          • Overview of data processing functions
          • Process control function
          • Mapping enrichment functions
          • Event operation functions
          • Field operation functions
          • Field value extraction functions
    • Log Applications
      • Intelligent Diagnostics
  • Best Practices
    • Use Year-Over-Year and Month-Over-Month as Alert Trigger Conditions
    • BLS Integration with Kibana
    • Use BLS via Grafana
  • Development Guide
    • API Reference
      • API function release records
      • API Overview
      • Interface Overview
      • General Description
      • Service domain
      • Common error codes
      • Terminology
      • Project Related APIs
        • Create Project
        • Update Project
        • Describe Project
        • Delete Project
        • List Project
      • LogStore Related APIs
        • Create LogStore
        • Update LogStore
        • Delete LogStore
        • Describe LogStore
        • Batch Get LogStore
        • List LogStore
      • LogStream Related APIs
        • List LogStream
      • LogRecord Related APIs
        • Push log PushLogRecord
        • Obtain logrecord PullLogRecord
        • Search analysis log QueryLogRecord
        • Histogram API QueryLogHistogram
      • Fast Query FastQuery Related Interfaces
        • Create Fast Query CreateFastQuery
        • Update Fast Query UpdateFastQuery
        • Delete Fast Query DeleteFastQuery
        • Get Fast Query Details DescribeFastQuery
        • Get Fast Query List ListFastQuery
      • Index Related APIs
        • Create Index
        • Update Index
        • Delete Index
        • Describe Index
      • Log Shipper LogShipper Related Interfaces
        • Create Log Shipper
        • Update Log Shipper
        • Set Single Log Shipper Status
        • Delete Single Log Shipper
        • Bulk Delete Log Shipper
        • List Log Shipper Records
        • List Log Shipper
        • Bulk Set Log Shipper Status
        • Get Log Shipper
      • Alarm-Related Interfaces
        • CreateAlarmPolicy
        • UpdateAlarmPolicy
        • DeleteAlarmPolicy
        • ValidateAlarmCondition
        • ValidateAlarmPolicySQL
        • EnableAlarmPolicy
        • DescribeAlarmRecord
        • DisableAlarmPolicy
        • DescribeAlarmPolicy
        • ListAlarmPolicy
        • ListAlarmRecord
        • ListAlarmExecutionStats
        • ListAlarmExecutions
      • LogStore Template-Related Interfaces
        • CreateLogStoreTemplate
        • UpdateLogStoreTemplate
        • DeleteLogStoreTemplates
        • DescribeLogStoreTemplates
        • DescribeLogStoreTemplate
      • Download Log Download Related Interfaces
        • Create Download Task CreateDownloadTask
        • Get Download Task List ListDownloadTask
        • Delete Download Task DeleteDownloadTask
        • Get Download Task Address GetDownloadTaskLink
        • Get Download Task Details DescribeDownloadTask
      • LogAlarm Related Interfaces
        • SetLogAlarmStatus
        • deleteLogAlarm
        • createLogAlarm
        • listLogAlarm
        • updateLogAlarm
        • BulkDeleteLogAlarm
        • PreviewAlarmLogRecord
        • getLogAlarm
        • BulkSetLogAlarmStatus
      • Transmission Task Related Interfaces
        • Create Task CreateTask
        • UpdateTask
      • Interfaces Compatible with Elasticsearch
        • ResolveIndex
        • FieldCaps
        • TermsEnum
        • AsyncSearch
    • SDK Reference
      • Go SDK
        • Overview
        • Initialization
        • Version Release Records
        • Project Operations
        • LogStore Operations
        • Install the SDK Package
        • LogStream Operations
        • LogRecord Operations
        • FastQuery Operations
        • LogShipper Operations
        • Index Operations
        • Download Task Operations
      • Java SDK
        • Overview
        • Install the SDK Package
        • LogRecord Operations
      • iOS SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android SDK
        • Overview
        • Quick start
        • Version Release Records
      • Android & iOS SDK Download
      • SDK Privacy Policy
      • SDK Developer Personal Information Protection Compliance Guide
    • Importing SLS Collection Configuration
  • FAQs
    • Common Questions Overview
    • Fault-related questions
    • Configuration-related questions
  • Log Service Level Agreement SLA
  • Document center
  • arrow
  • BLS
  • arrow
  • Operation guide
  • arrow
  • Identity and access management
Table of contents on this page
  • Introduction to Identity and Access Management product
  • Definition
  • Configuration Policy
  • Description of system policy permission
  • Description of custom policy permission
  • Cloud product access permissions
  • Authorization cases
  • Create IAM user
  • Create custom policy
  • Grant permissions to IAM users
  • IAM user signs in to the console and access products

Identity and access management

Updated at:2025-11-03

Introduction to Identity and Access Management product

Identity and Access Management (IAM) is designed for managing identities and access to Baidu AI Cloud resources. It facilitates centralized authorization, resource sharing, and multi-user collaboration for cloud accounts. IAM allows enterprises to grant different product permissions to employees based on their roles, enabling them to share resources within the account to fulfill their responsibilities. When an enterprise requires multi-user collaboration or resource sharing, it is recommended to utilize IAM.

Below are typical scenarios where Identity and Access Management applies:

  • Medium and large enterprise customers: Centralized resource and permission management for different employees across multiple departments within the company
  • Independent software vendors (ISVs) or SaaS platform providers: Centralized resource and permission management for proxy clients
  • Small and medium-sized developers or small enterprise: Add project members or collaborators for resource and permission management

For details about Identity and Access Management, refer to the IAM Help Document.

Definition

  • Permission: Refers to whether one or several APIs are allowed to be accessed, such as viewing task details, editing tasks, etc.
  • Resource: Refers to the smallest entity created, maintained, and accessed by users in the service. In BLS, items such as tasks, agents, and agent groups are considered resources.
  • Policy: A combination of permissions, resources, and user identities, such as read-only policy or custom policy

Configuration Policy

  • System policy: Permission set predefined by Baidu AI Cloud System for resource management. Such policies can be directly authorized for IAM users, and users can only use it but cannot modify it.
  • Custom policy: User-created more detailed permission set for resource management, allowing permission configuration for single instance to flexibly meet differentiated permission management of accounts for different users.

Description of system policy permission

The BLS system policy includes read-only permissions, operational permissions, and management permissions. Detailed descriptions are provided below:

Policy namePermissionPermission scope
BLSReadPolicy Permissions for read-only access to BLS Permissions only include: viewing task details, viewing agent details, viewing agent group details, viewing agent installation, acquiring LogStore details, reading logrecord, getting index details, getting quick query details, viewing delivery task configuration details, and viewing delivery task execution records;
BLSOperatePolicy BLS operations permissions In addition to read-only, you can also edit tasks, start/stop tasks, edit agents, edit agent groups, modify LogStore, write log records, modify indexes, modify quick queries, modify delivery tasks, start/stop individual delivery tasks, and start/stop delivery tasks in batches;
BLSFullControlPolicy Full control permission for BLS management Possesses full BLS permissions;

Description of custom policy permission

The permission operation types and scope for BLS custom policy are specified as follows:

Operation typePermission scope
Read-only operation
  • Task:
    • View task details
  • Agent:
    • View agent details
  • Agent groups:
    • View agent group details
  • LogStore:
    • LogStore: Get LogStore details
    • Logrecord: Read logrecord
    • LogStore index: Get index details
  • Quick query:
    • Get quick query details
  • Log delivery:
    • View delivery task configuration details
    • View delivery tasks execution records
Operation and maintenance operations
  • Task:
    • Edit tasks
    • Start/Stop tasks
  • Agent:
    • Edit agent
  • Agent groups:
    • Edit agent group
  • LogStore:
    • LogStore: modify LogStore, get LogStore details
    • Logrecord: Write in logrecord, read logrecord
    • LogStore index: Modify index, get index details
  • Quick query:
    • Modify FastQuery
    • Retrieve FastQuery details.
  • Log delivery:
    • Modify delivery tasks
    • View delivery task configuration details
    • View delivery tasks execution records
    • Start/Stop a single delivery task
    • Batch start/stop delivery tasks
Management operations
  • Task:
    • Edit tasks
    • Start/Stop tasks
    • Delete task
  • Agent:
    • Edit agent
    • Delete agent
  • Agent groups:
    • Edit agent group
    • Delete agent group
  • LogStore:
    • LogStore: Delete LogStore, modify LogStore, get LogStore details
    • Logrecord: Write in logrecord, read logrecord
    • LogStore index: Modify index, delete index, get index details
  • Quick query:
    • Delete FastQuery
    • Modify FastQuery
    • Retrieve FastQuery details.
  • Log delivery:
    • Modify delivery tasks
    • View delivery task configuration details
    • View delivery tasks execution records
    • Delete a single delivery task
    • Batch delete delivery tasks
    • Start/Stop a single delivery task
    • Batch start/stop delivery tasks

Cloud product access permissions

The log service supports collecting log data from several Baidu AI Cloud products, including Content Delivery Network (CDN), Virtual Private Cloud (VPC), and Container Instance (BCI). When sub-accounts need to enable log-push services via cloud product consoles, ensure the necessary BLS permissions are in place. For instance, to write/push data to an existing LogStore, ensure the account has the "Write Records" permission. To create a new LogStore, ensure the account has the "BLSFullControlPolicy" permission.

Authorization cases

Authorization steps are as follows:

  • Create IAM user
  • Create custom policy
  • Grant permissions to IAM users
  • IAM user signs in to the console to access products

Create IAM user

Step 1: Click the user avatar in the upper right corner, and then click "Identity and Access Management";

create subUser step1

Step 2: Click "Create IAM User". After the IAM User is created, the login link is shown as in the figure;

create subUser step2

For details, refer to the Identity and Access Management Help Document.

Create custom policy

Step 1: Click "Policy" on the left, click "Create Policy", and then click "Create via Visual Editor";

custom policy 1

Step 2: Click "Add Permission";

custom policy 2

Step 3: Select "Baidu Log Service (BLS)", check the Permissions, check the Resources, and click "Complete";

custom policy 3

Step 4: Click "Complete" again;

custom policy 4

Grant permissions to IAM users

Step 1: Click "Add Permission";

auth 1

Step 2: Search for "bls," where you can add "System Policy" and "Custom Policy," then click "OK";

auth 2

IAM user signs in to the console and access products

Step 1: Access the Sign in as IAM User link;

Screenshot 2021-09-07 7.20.07 PM.png

Step 2: Click BLS & access the product;

login 2

Previous
Overview
Next
Logset Management