The service-linked role for CloudMonitor, AliyunServiceRoleForCloudMonitor, is the Resource Access Management (RAM) role that authorizes CloudMonitor to access other Alibaba Cloud services in specific scenarios.

Note For more information about service-linked roles, see Service-linked roles.

Scenarios

When CloudMonitor automatically installs the CloudMonitor agent on hosts, CloudMonitor uses the service-linked role to obtain the permission to use Cloud Assistant.

Permission description

The following section describes the permissions of the service-linked role:

  • Name: AliyunServiceRoleForCloudMonitor
  • Policy attached to the role: AliyunServiceRolePolicyForCloudMonitor
  • Policy description: grants CloudMonitor the permissions to use Cloud Assistant to view status, run commands, and view command output on all instances of the current account. 
    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RunCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeCloudAssistantStatus"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Create the service-linked role

When CloudMonitor automatically installs the CloudMonitor agent on hosts, CloudMonitor automatically creates the service-linked role.

Delete the service-linked role

To delete the service-linked role, perform the following steps:

  1. On the Host Monitoring page, check whether New Purchase ECS Automatically Installs Cloud Monitor is turned off.
    If New Purchase ECS Automatically Installs Cloud Monitor is turned on, which is shown as Switch, turn the switch off, which is shown as Turned off.
  2. Delete the service-linked role.
    For more information, see Delete a service-linked role.