This topic describes the AliyunServiceRoleForARMS service-linked role for Application Real-Time Monitoring Service (ARMS) and shows you how to delete this role.

Background information

The AliyunServiceRoleForARMS service-linked role is a RAM role that ARMS assumes to access other Alibaba Cloud services to implement an ARMS feature in specific scenarios. For more information about service-linked roles, see Service-linked roles.

Scenarios

ARMS Prometheus monitoring can use the automatically created AliyunServiceRoleForARMS role to access resources in other Alibaba Cloud services, such as Container Service for Kubernetes (ACK), Log Service, Elastic Compute Service (ECS), and Virtual Private Cloud (VPC).

Permissions of the AliyunServiceRoleForARMS role

AliyunServiceRoleForARMS has permissions to access the following cloud services:

Permission to access Container Service for Kubernetes (ACK)
{
            "Action": [
                "cs:ScaleCluster",
                "cs:DeleteCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:CreateCluster",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:DeleteCluster",
                "cs:UpdateClusterTags",
                "cs:DeleteClusterNodes",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:DeleteClusterNode",
                "cs:GetClusterLogs"
            ],
            "Resource": [
                "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }
Permission to access Log Service (SLS)
{
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:GetLogStoreLogs",
                "log:GetHistograms",
                "log:GetLogStoreHistogram",
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:DeleteLogStore",
                "log:UpdateLogStore",
                "log:GetCursorOrData",
                "log:GetCursor",
                "log:PullLogs",
                "log:ListShards",
                "log:PostLogStoreLogs",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:DeleteConfig",
                "log:GetConfig",
                "log:ListConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:DeleteMachineGroup",
                "log:GetMachineGroup",
                "log:ListMachineGroup",
                "log:ListMachines",
                "log:ApplyConfigToGroup",
                "log:RemoveConfigFromGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:GetShipperStatus",
                "log:RetryShipperTask",
                "log:CreateConsumerGroup",
                "log:UpdateConsumerGroup",
                "log:DeleteConsumerGroup",
                "log:ListConsumerGroup",
                "log:UpdateCheckPoint",
                "log:HeartBeat",
                "log:GetCheckPoint",
                "log:CreateIndex",
                "log:DeleteIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch",
                "log:GetSavedSearch",
                "log:DeleteSavedSearch",
                "log:ListSavedSearch",
                "log:CreateDashboard",
                "log:UpdateDashboard",
                "log:GetDashboard",
                "log:DeleteDashboard",
                "log:ListDashboard",
                "log:CreateJob",
                "log:UpdateJob"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
Permission to access Elastic Compute Service (ECS)
{
            "Action": [
                "ecs:DescribeInstanceAutoRenewAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeInstanceVncUrl",
                "ecs:DescribeSpotPriceHistory",
                "ecs:DescribeUserdata",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeDisks",
                "ecs:DescribeSnapshots",
                "ecs:DescribeAutoSnapshotPolicy",
                "ecs:DescribeSnapshotLinks",
                "ecs:DescribeImages",
                "ecs:DescribeImageSharePermission",
                "ecs:DescribeClassicLinkInstances",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeTags",
                "ecs:DescribeRegions",
                "ecs:DescribeZones",
                "ecs:DescribeInstanceMonitorData",
                "ecs:DescribeEipMonitorData",
                "ecs:DescribeDiskMonitorData",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeInstanceTypeFamilies",
                "ecs:DescribeTasks",
                "ecs:DescribeTaskAttribute",
                "ecs:DescribeInstanceAttribute",
                "ecs:InvokeCommand",
                "ecs:CreateCommand",
                "ecs:StopInvocation",
                "ecs:DeleteCommand",
                "ecs:DescribeCommands",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:ModifyCommand",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
Permission to access Virtual Private Cloud (VPC)
{
       "Action": [
           "vpc:DescribeVpcs",
           "vpc:DescribeVSwitches"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

Delete the AliyunServiceRoleForARMS role

For security reasons, you may want to delete the AliyunServiceRoleForARMS role if you no longer need to use ARMS Prometheus monitoring. After you delete this role, the Kubernetes cluster within your account cannot be synchronized to the list of Kubernetes clusters in the ARMS console. In addition, ARMS stops reading monitoring data from and writing monitoring data to the ARMS console.

To delete the AliyunServiceRoleForARMS role, perform the following steps:

Note If the ARMS Prometheus monitoring agent is installed for the Kubernetes cluster within your account, uninstall the agent first. Otherwise, the AliyunServiceRoleForARMS role cannot be deleted. For more information, see Uninstall the Prometheus agent.
  1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
  2. On the Roles page, enter AliyunServiceRoleForARMS in the search box. The RAM role named AliyunServiceRoleForARMS is displayed in the search result.
  3. In the Actions column of the AliyunServiceRoleForARMS role, click Delete.
  4. In the Delete RAM Role dialog box, click OK.
    • If the ARMS Prometheus monitoring agent is installed for the Kubernetes cluster within your account, uninstall the agent first. Otherwise, the AliyunServiceRoleForARMS role cannot be deleted. For more information, see Uninstall the Prometheus agent.
    • If the ARMS Prometheus monitoring agent has been uninstalled from the Kubernetes cluster, you can directly delete the AliyunServiceRoleForARMS role.

FAQ

Why is the AliyunServiceRoleForARMS service-linked role not automatically created for my RAM user?

You must obtain the specified permissions to automatically create or delete the AliyunServiceRoleForARMS role. To allow the AliyunServiceRoleForARMS role to be automatically created for your RAM user, attach the following policy to your RAM user:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "arms.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
Note Replace ID of your Alibaba Cloud account in the policy statement with the ID of your Alibaba Cloud account.