Accessing CLS with a Temporary Key
Last updated: 2025-10-22 17:08:23
Note:
When using a temporary key to authorize access, ensure authorization follows the principle of least privilege according to business needs. If you directly grant permissions for all resources (resource:*) or all actions (action:*), there is a data security risk due to excessively broad permissions.
When applying for a temporary key, if you specify the permission scope, the obtained temporary key is only applicable within that scope. For example, if you specify permission to write logs to log topic e621fdb8-16f4-41cf-bc73-xxxxxxxxx1 when applying for the temporary key, the obtained key cannot write log information into e621fdb8-16f4-41cf-bc73-xxxxxxxxx2, nor can it obtain logs from e621fdb8-16f4-41cf-bc73-xxxxxxxxx2.
Temporary Keys
Temporary keys (temporary access credentials) are keys with restricted permissions obtained through the TencentCloud API provided by Cloud Access Management (CAM).
CLS API can use a temporary key for signature calculation to trigger a CLS API request.
When using a temporary key for signature calculation in a CLS API request, three fields from the response information of the API for obtaining temporary keys are required, as follows:
secretId: ID of the temporary certificate.
secretKey: key of the temporary certificate.
secretToken: token of the temporary certificate.
Strengths of Using a Temporary Key
When Cloud Log Service (CLS) is used on Web, iOS, or Android, calculating signatures with fixed keys cannot effectively control permissions. Placing permanent keys in client-side code also poses significant leakage risks. Using temporary keys provides a convenient and effective solution for permission control.
For example, during the process of applying for a temporary key, you can restrict operations and resources by limiting permissions to a specified scope. For details, see Sub-Account Authorization.
Obtaining a Temporary Key
Accessing CLS with a Temporary Key
Taking the CLS Java SDK as an example, the following shows how to access CLS with a temporary key:
Note:
Before running the following example, go to Github project to obtain the Java SDK installation package.
package com.tencentcloudapi.cls;import com.tencentcloudapi.cls.producer.errors.ProducerException;import org.junit.Test;public class AsyncProducerClientTest {@Testpublic void testAsyncProducerClient() throws ProducerException, InterruptedException {String endpoint = "ap-guangzhou.cls.tencentcs.com";// API key secretId, required.String secretId = "";// API key secretKey, required.String secretKey = "";// API token, required.String secretToken = "";// Log topic ID, required.String topicId = "";final AsyncProducerConfig config = new AsyncProducerConfig(endpoint, secretId, secretKey,NetworkUtils.getLocalMachineIP(), secretToken);// Build a client instance.final AsyncProducerClient client = new AsyncProducerClient(config);for (int i = 0; i < 10000; ++i) {List<LogItem> logItems = new ArrayList<>();int ts = (int) (System.currentTimeMillis() / 1000);LogItem logItem = new LogItem(ts);logItem.PushBack(new LogContent("__CONTENT__", "Hello, I am from Shenzhen.|hello world"));logItem.PushBack(new LogContent("city", "guangzhou"));logItem.PushBack(new LogContent("logNo", Integer.toString(i)));logItem.PushBack(new LogContent("__PKG_LOGID__", (String.valueOf(System.currentTimeMillis()))));logItems.add(logItem);client.putLogs(topicId, logItems, result -> System.out.println(result.toString()));}client.close();}}
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback