All Products
Search
Document Center

Application Real-Time Monitoring Service:Embed ARMS console pages in self-managed web applications

Last Updated:Mar 11, 2024

You can embed Application Real-Time Monitoring Service (ARMS) console pages in self-managed web applications. This way, you can view the pages from the applications without the need to switch between systems or log on to the ARMS console.

Background information

The operation to embed ARMS console pages in self-managed web applications brings the following benefits:

  • You can log on to your own system and browse the application list, application details, and traces on the embedded ARMS console pages.

  • You can hide the top navigation bar and left-side navigation pane of the ARMS console. For more information, see Step 5: Generate a logon-free URL.

  • You can use Resource Access Management (RAM) to manage the permissions on the ARMS console. For example, you can change the full access permissions to read-only permissions. For more information, see Use RAM users to manage permissions.

Sample code

To embed ARMS console pages in a self-managed web application, download and use the sample code.

Access process

The following figure shows the process of accessing ARMS from an external system.

image

Step 1: Create a RAM user and grant permissions to the RAM user

Use your Alibaba Cloud account to create a RAM user and authorize the RAM user to call Security Token Service (STS) to assume RAM roles.

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Grant the AliyunSTSAssumeRoleAccess permission to the RAM user. For more information, see Grant permissions to a RAM user.

    Add Permission For User

Step 2: Create a RAM role and grant permissions to the RAM role

Create a RAM role and grant the RAM role the permissions to access the ARMS console. Then, the RAM user can assume the RAM role to access the ARMS console.

  1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

  2. Grant the following permissions to the RAM role. For more information, see Grant permissions to a RAM role.

    • AliyunARMSFullAccess: full access permissions on ARMS

    • AliyunARMSReadOnlyAccess: read-only permissions on ARMS

      Important

      To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.

Step 3: Obtain the temporary AccessKey pair and STS token

Log on to the self-managed web application and call the AssumeRole operation of STS on the web server to obtain the temporary AccessKey pair and STS token. They are used as temporary credentials. For more information about the AssumeRole operation, see AssumeRole.

You can call the AssumeRole operation by using one of the following methods:

RAM SDK for Java is used as an example.

Set the following parameters when you use the SDK for Java:

String accessKey = "<accessKeyId>"; // The AccessKey ID of the RAM user. 
String accessSecret = "<accessKeySecret>"; // The AccessKey secret of the RAM user. 
String roleArn = "<roleArn>"; // The Alibaba Cloud Resource Name (ARN) of the RAM role.

The AccessKey ID and AccessKey secret of the RAM user are provided when the RAM user is created.

Perform the following steps to obtain the ARN of the RAM role:

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the RAM role that you created.

  4. On the page that appears, copy the value of the ARN parameter in the Basic Information section.

Step 4: Obtain the logon token

After you call the AssumeRole operation of STS to obtain the temporary AccessKey pair and STS token, call the GetSigninToken operation to obtain the logon token.

Important

The temporary STS token may contain special characters. Before you use the token, you must use the URL encoding method to encode the special characters.

Sample request:

https://signin.aliyun.com/federation?Action=GetSigninToken
    &AccessKeyId=<The temporary AccessKey ID that is returned by STS>
    &AccessKeySecret=<The temporary AccessKey secret that is returned by STS>
    &SecurityToken=<The temporary token that is returned by STS>
    &TicketType=mini

Step 5: Generate a logon-free URL

Use the obtained logon token and URL of the ARMS console page that you want to embed to generate a logon-free URL. This allows you to access the ARMS console page from your self-managed web application.

Note

A logon token is valid for 3 hours. We recommend that you configure the URL in the self-managed web application to generate a new logon token on each request.

  1. In the ARMS console, obtain the URL of the console page that you want to embed.

    The following example is the URL of the Applications page for the China (Shanghai) region:

    https://arms.console.aliyun.com/apm?iframeMode=true&pid=${pid}&regionId=${regionId}#/${pid}/home
    Note
    • The URL must be the console address of ARMS Application Monitoring or ARMS Browser Monitoring. You can obtain the values of the {pid} and {regionId} parameters from the actual URL.

    • To hide the top navigation bar and the left-side navigation pane of the ARMS console, set the iframeMode parameter to true in the search section of the URL.

    • To hide only the top navigation bar, set the hideTopbar parameter to true in the search section of the URL. To hide only the left-side navigation pane, set the hideSidebar parameter to true in the search section of the URL. Setting both parameters to true is equivalent to setting the iframeMode parameter to true.

  2. Use the logon token and the URL of the ARMS console page to generate a logon-free URL for the page.

    https://signin.aliyun.com/federation?Action=Login
        &LoginUrl=<A URL that returns HTTP status code 302 and redirects you to the user-created website>
        &Destination=<The URL of the ARMS console page>
        &SigninToken=<The obtained logon token>
  3. Use the logon-free URL to access the ARMS console page in your browser.