tencent cloud

Cloud Log Service

Release Notes and Announcements
Release Notes
Announcements
User Guide
Product Introduction
Overview
Features
Available Regions
Limits
Concepts
Service Regions and Service Providers
Purchase Guide
Billing Overview
Product Pricing
Pay-as-You-Go
Billing
Cleaning up CLS resources
Cost Optimization
FAQs
Getting Started
Getting Started in 1 Minute
Getting Started Guide
Quickly Trying out CLS with Demo
Operation Guide
Resource Management
Permission Management
Log Collection
Metric Collection
Log Storage
Metric Storage
Search and Analysis (Log Topic)
Search and Analysis (Metric Topic)
Dashboard
Data Processing documents
Shipping and Consumption
Monitoring Alarm
Cloud Insight
Independent DataSight console
Historical Documentation
Practical Tutorial
Log Collection
Search and Analysis
Dashboard
Monitoring Alarm
Shipping and Consumption
Cost Optimization
Developer Guide
Embedding CLS Console
CLS Connection to Grafana
API Documentation
History
Introduction
API Category
Making API Requests
Topic Management APIs
Log Set Management APIs
Index APIs
Topic Partition APIs
Machine Group APIs
Collection Configuration APIs
Log APIs
Metric APIs
Alarm Policy APIs
Data Processing APIs
Kafka Protocol Consumption APIs
CKafka Shipping Task APIs
Kafka Data Subscription APIs
COS Shipping Task APIs
SCF Delivery Task APIs
Scheduled SQL Analysis APIs
COS Data Import Task APIs
Data Types
Error Codes
FAQs
Health Check
Collection
Log Search
Others
CLS Service Level Agreement
CLS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationCloud Log ServiceDeveloper GuideEmbedding CLS Console

Embedding CLS Console

PDF
Focus Mode
Font Size
Last updated: 2025-06-12 14:52:42

Use Cases

CLS allows you to embed the CLS console into an external system, so that you can conduct log search and analysis without logging in to the Tencent Cloud console. This feature offers the following benefits:
Quickly integrate CLS search and analysis capabilities into an external service system (e.g., for business maintenance or operation).
Easily share your log data with others without needing to manage additional Tencent Cloud sub-accounts.

Demo Code for Login-Free Implementation

Directions

1. On the CAM page, create a CAM role, set the role entity to Tencent Cloud Account, and select Allow the current role to access console. Then, configure the target access permission for the CAM role, for example, the read-only policy permission QcloudCLSReadOnlyAccess, name it CLSReadOnly, and copy its RoleArn information.
2. On the Policies page, create a custom policy and select Create by Policy Generator. Then, select the JSON tag and enter the following information in Policy Content. Note that you need to replace ${YOUR_UIN} with the account UIN (the resource content is the RoleArn of the created role; modify the policy name in case of any inconsistency). Click Next and set Policy Name to PlayClsPolicy.
 {
     "version": "2.0",
     "statement": [
         {
             "effect": "allow",
             "action":[
                 "sts:AssumeRole"
             ],
             "resource": [
                 "qcs::cam::uin/${YOUR_UIN}:roleName/CLSReadOnly"
             ]
         }
     ]
 }
3. On the Create User page, select Custom Creation and set Type to Access Resources and Receive Messages, Username to PlayClsUser, Access Method to Programming access, and User permissions to PlayClsPolicy created in the previous step. After submitting the user creation operation, copy the generated SecretId and SecretKey.
4. Clone the demo codecls-iframe-demo for login-free implementation. As instructed in the ReadMe content of the demo project, create the .env file in the root directory and enter the required parameters RoleArn, SecretId, and SecretKey.
Note:
Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
Check the effect after running the project as instructed in the ReadMe document of the demo program for login-free implementation.
Note:
This example does not include the authentication logic of external systems. After deployment, all users (even if they have not logged in to Tencent Cloud) can view the data under their accounts with the role permissions configured in the example. To ensure data privacy and security, add the authentication logic of external systems or restrict their access to the private network only to ensure that only authorized users can view the page.
5. Concatenate the destination login-free address s_url of CLS (optional). If you enter the obtained address in the configuration file of the login-free project, access to the login-free service will be automatically redirected to this address. The basic address of the CLS search and analysis page:
https://console.tencentcloud.com/cls/search?region=<region>&topic_id=<topic_id>
Parameters in the CLS search and analysis page URL:
Parameter
Required
Type
Description
region
Yes
String
Region abbreviation, e.g., ap-shanghai for Shanghai region. For other available region abbreviations, see Available Regions
topic_id
No
String
Log topic ID
logset_name
No
String
Logset name
topic_name
No
String
Log topic name
time
No
String
Time range for log search. Format example:2021-07-15T10:00:00.000,2021-07-15T12:30:00.000
queryBase64
No
String
Search and analysis statement, which is base64Url-encoded
hideWidget
No
Boolean
Indicates whether to hide agent/documentation button in the bottom-right corner. `true`: Yes; `false`: No (default)
hideTopNav
No
Boolean
Indicates whether to hide the top navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
hideLeftNav
No
Boolean
Indicates whether to hide the left navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
hideTopicSelect
No
Boolean
Indicates whether to hide the log topic selection controls (including the region, logset, and log topic controls). `true`: Yes; `false`: No (default)
hideHeader
No
Boolean
Indicates whether to hide the log topic selection control and the row where the control resides. `true`: Yes; `false`: No (default). This parameter is valid only when `hideTopicSelect` is `true`.
hideTopTips
No
Boolean
Indicates whether to hide the announcements on the top of the page. `true`: Yes; `false`: No (default)
hideConfigMenu
No
Boolean
Indicates whether to hide the log topic configuration management menu. `true`: Yes; `false`: No (default)
hideLogDownload
No
Boolean
Indicates whether to hide the raw log download button. `true`: Yes; `false`: No (default)
Note:
You can specify the log topic to search using URL parameters in either the following modes:
topic_id: use the log topic ID to specify the log topic to search.
logset_name+topic_name: use the logset name and log topic name to specify the log topic to search. Note that if the logset or log topic name changes, the URL adopting this mode will become invalid.
If `topic_id`, `logset_name`, and `topic_name` exist at the same time, `topic_id` prevails.
Relationship between hidden parameters and page modules:



Self-Development for Login-Free Implementation

Directions

Note:
Note: Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
1. Configure the CLS read-only role, custom policy of the target role, and sub-account bound to the custom policy as instructed in Demo Code for Login-Free Implementation. Then, save the RoleArn, SecretId, and SecretKey information.
2. Get the destination login-free address s_url as needed as instructed in Demo Code for Login-Free Implementation.
3. Repeat the following steps every time you need to open a login-free page.
4. Call the STS AssumeRole API with the obtained key to apply for the temporary key of the target role.
5. Generate the login signature information with the obtained temporary key.
5.1 Sort parameters to be signed.
Sort parameters to be signed listed below in ascending alphabetical or numerical order. That is, sort the parameters by their first letters, then by their second letters if their first letters are the same, and so on. You can do this with the aid of sorting functions in programming languages, such as the ksort function in PHP.
Parameter
Required
Type
Description
action
Yes
String
Action; fixed as `roleLogin`
timestamp
Yes
Int
Current timestamp
nonce
Yes
Int
Random integer. Value range: 10000-100000000
secretId
Yes
String
Temporary AK returned by STS
5.2 Combine the parameters.
Combine the above sorted parameters into the form of "parameter name=parameter value". Example:
action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
5.3 Concatenate a signature string.
Construct a signature string in the format of “request method + request CVM + request path + ? + request string”.
Parameter
Required
Description
Request CVM and path
Yes
Fixed as www.tencentcloud.com/login/roleAccessCallback
Request method
Yes
GET or POST
Sample signature string
GETwww.tencentcloud.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
5.4 Generate a signature string.
Currently, you can sign a string using HMAC-SHA1 or HMAC-SHA256. The sample code in PHP is as follows:
$secretKey = 'Gu5***1qA';
$srcStr    = 'GETwww.tencentcloud.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=&timestamp=1484793352';
$signStr   = base64_encode(hash_hmac('sha1', $srcStr, $secretKey, true));
echo $signStr;
Sample code for PHP
$secretId  = "AKI***";            //Temporary AK returned by STS
$secretKey = "Gu5***PLE";         //Temporary SecretKey returned by STS
$token     = "ADE***fds";         //Security Token returned by STS
$param["nonce"]     = 11886;      //rand(10000,100000000);
$param["timestamp"] = 1465185768; //time();
$param["secretId"]  = $secretId;
$param["action"]    = "roleLogin";
ksort($param);
$signStr = "GETwww.tencentcloud.com/login/roleAccessCallback?";
foreach ( $param as $key => $value ) {
    $signStr = $signStr . $key . "=" . $value . "&";
}
$signStr   = substr($signStr, 0, -1);
$signature = base64_encode(hash_hmac("sha1", $signStr, $secretKey, true));
echo $signature.PHP_EOL;
6. Combine your login information and destination page URL into a login URL.
Parameter values need to be URL-encoded.
https://www.tencentcloud.com/login/roleAccessCallback?
algorithm=<Encryption algorithm for signing. Currently, only `sha1` and `sha256` are supported. `sha1` will be used by default if the parameter is not specified.>
&secretId=<secretId for signing>
&token=<Temporary key token>
&nonce=<nonce for signing>
&timestamp=<Timestamp for signing>
&signature=<Signature string>
&s_url=<Destination URL after login>
7. Use the final URL to access the embedded CLS page of the Tencent Cloud console. The sample below is a URL to the CLS search analysis page:
https://www.tencentcloud.com/login/roleAccessCallback?nonce=52055817&s_url=https%3A%2F%2Fconsole.tencentcloud.com%2Fcls%2Fsearch%3Fregion%3Dap-guangzhou%26start_time%3D2020-05-26%25252014%25253A01%25253A18%26end_time%3D2020-05-26%25252014%25253A16%25253A18&secretId=AKID-vHJ7WPHcy_RVIOm-QTIktXOf9S9z_k_JackOp3dyQPJwmDrNLQJuiNuw9******&signature=eXeWaDn6iJlcPp1sqqGd6m9%2FQk****&timestamp=1592455018&token=5e4vuBHL7fBQPi1V9fvSINw4Vu7PSr9Ic3de78b86109c171eb4e3ea27c137c1fIWKU8JC-LO01L87sIYlfTSaHHXeHcqim7Jg9hBuN2nbdfgeBUPXhmpyAk4G6e9bHFZ-7yNRig7Y33CQHxh6jOesP4VfhRzQprWGRtC5No1ty******-aoj_WJhA55oyvqaqxw2jtTdh8nx9OjJr3tlbIa9oJe7aZYoPbdpFqrF6ZjlCPPap2yQB_SkUsWwDl_9BrK2Km3U2IocdvQ7QxrW0ts1aiBi7xtTSJRcfkBYPYEV_YoJrtkhYW3E4L47imA1bfVAjM9F5uKWzVzsDGDT0aCUU9mqdb4vjJrY8tm-wJKKEe8eiyY9EbkH3VWnFV2YocYNDJqFyjKOWR******

How It Works

The login-free solution is implemented based on STS.
The login flowchart is as shown below:

img


Previous Topic: Saving Product Use CostsNext Topic: CLS Connection to Grafana

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback