# Application Signals 所需权限
本部分介绍启用、管理和操作 Application Signals 所需的权限。
## 启用和管理 Application Signals 的权限
管理 Application Signals 时,必须使用具备所需权限的账户登录。如需查看 [CloudWatchApplicationSignalsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsFullAccess.html) 策略的内容,请参阅 **CloudWatchApplicationSignalsFullAccess**。
要在 Amazon EC2 或自定义架构上启用 Application Signals,请参阅 [在 Amazon EC2 上启用 Application Signals](CloudWatch-Application-Signals-Enable-EC2Main.md)。要使用 [Amazon CloudWatch 可观测性 EKS 插件](install-CloudWatch-Observability-EKS-addon.md)在 Amazon EKS 上启用和管理 Application Signals,您需要以下权限。
**重要**
这些权限包括带有 `Resource "*”` 的 `iam:PassRole` 与带有 `Resource “*”` 的 `eks:CreateAddon`。权限较高,应谨慎授予。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:CreateAddon",
"eks:DescribeAddon",
"eks:DescribeAddonConfiguration",
"eks:DescribeAddonVersions",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:ListAddons",
"eks:ListClusters",
"eks:ListUpdates",
"iam:ListRoles",
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"application-signals.cloudwatch.amazonaws.com"
]
}
}
},
{
"Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions",
"Effect": "Allow",
"Action": [
"eks:DeleteAddon",
"eks:UpdateAddon"
],
"Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
}
]
}
```
------
Application Signals 控制面板显示与您的 SLO 关联的 AWS Service Catalog AppRegistry 应用程序。要在 SLO 页面中查看这些应用程序,您必须拥有以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
```
------
## 操作 Application Signals
通过 Application Signals 监控服务与 SLO 的服务运维人员,必须使用具备只读权限的账户登录。如需查看 **CloudWatchApplicationSignalsReadOnlyAccess** 策略的内容,请参阅 [CloudWatchApplicationSignalsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsReadOnlyAccess.html)。
要在 Application Signals 控制面板内,查看您的 SLO 与哪些 AWS Service Catalog AppRegistry 应用程序关联,您还需要以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
```
------
要检查是否已使用 [Amazon CloudWatch 可观测性 EKS 插件](install-CloudWatch-Observability-EKS-addon.md)在 Amazon EKS 上启用了 Application Signals,您需要拥有以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerReadPermissions",
"Effect": "Allow",
"Action": [
"resource-explorer-2:ListIndexes",
"resource-explorer-2:Search"
],
"Resource": "*"
},
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerSLRPermissions",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"resource-explorer-2.amazonaws.com"
]
}
}
},
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerCreateIndexPermissions",
"Effect": "Allow",
"Action": [
"resource-explorer-2:CreateIndex"
],
"Resource": "arn:aws:resource-explorer-2:*:*:index/*"
}
]
}
```
------