All Products
Search
Document Center

Application Real-Time Monitoring Service:Attach a custom policy to a RAM user

Last Updated:Jan 09, 2024

This topic describes how to attach a custom policy to a RAM user.

Prerequisites

Important

By default, Alibaba Cloud accounts that activate Application Real-Time Monitoring Service (ARMS) after 00:00 on April 1, 2022 can attach custom policies to RAM users. Other Alibaba Cloud accounts must contact technical support (DingTalk ID: arms160804).

  • You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.

  • The ReadOnlyAccess or AliyunARMSReadOnlyAccess system policy is attached to the RAM user. This ensures that the RAM user can log on to the ARMS console.

    Important

    To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.

  • The AliyunARMSFullAccess system policy is not attached to the RAM user.

Background information

The system policies provided by ARMS are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the operation permissions on a specific application to a RAM user, you must create a custom policy to meet this requirement.

Step 1: Create a custom policy

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab. Configure a permission policy in the editor.

    For more information, see Policy elements.

    The following example indicates the read-only permissions on applications that reside in the China (Hangzhou) region and are associated with the key0: value01 or key0: value02 tag.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "arms:ReadTraceApp"
          ],
          "Resource": "acs:arms:cn-hangzhou:*:armsapp/*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "arms:tag/key0":[
                "value01",
                "value02"
              ]
            }
          }
        }
      ]
    }
  5. Click Next: Edit Basic Information.

  6. Specify the Name and Description fields.

  7. Click OK.

Step 2: Attach the custom policy

Attach the custom policy to the RAM user

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Select policies.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies:

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      Note

      You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

  5. Click OK.

  6. Click Complete.

Attach the custom policy to a RAM role

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM role to which you want to grant permissions, and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM role.

    1. Set the authorization scope.

      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify the principal.

      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

    3. Select policies.

      Note

      You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.

  5. Click OK.

  6. Click Complete.

After you attach the policy to the RAM role, you can use the RAM role to log on to the ARMS console. For more information, see Assume a RAM role.

Policy elements

Effect

Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.

Action

Action

Description

arms:ReadTraceApp

The read-only permissions on the specified application, including the permissions to view information such as application overview, interface calls, and application diagnostics.

arms:EditTraceApp

The edit permissions on the specified application, including the permissions to apply custom configurations and set custom parameters.

arms:DeleteTraceApp

The permissions to delete the specified application.

Resource

Specifies the resources on which the policy takes effect.

Sample statement:

"Resource": [
     "acs:arms:<regionid>:*:armsapp/<appname>"
 ]
  • Replace <regionid> with the specified region ID. If you want to grant permissions on resources in all regions, replace <regionid> with *.

  • Replace <appname> with the specified application name. If you want to grant permissions on all applications, replace <appname> with *. If you want to specify applications that have the same name prefix, replace <appname> with Name prefix*. Example: k8s*.

Condition

A condition block contains one or more conditions. Each condition consists of operators, keys, and values. 条件块判断逻辑

Description

  • You can specify one or more values for a condition key. If the value in a request matches one of the values, the condition is met.

  • A condition can have multiple keys that are attached to a single conditional operator. The condition of this type is met only if all requirements for the keys are met.

  • A condition block is met only if all of its conditions are met.

You can specify resources by using key-value pairs. For more information about how to attach tags to an application, see Manage tags.

  • Key-value pairs support the following operators:

    • StringEquals

    • StringNotEquals

    • StringEqualsIgnoreCase

    • StringNotEqualsIgnoreCase

    • StringLike

    • StringNotLike

  • Condition key: arms:tag

  • Condition key value: key-value pairs

The following example demonstrates a condition that matches applications associated with the key0: value01 or key0: value02 tag.

"Condition": {
  "StringEquals": {       // The operator. 
    "arms:tag/key0":[      // The condition key.
      "value01",        // The value of the condition key.
      "value02"
    ]
  }
}