All Products
Search
Document Center

:RAM authentication

Last Updated:Aug 22, 2023

Before a RAM user calls the CloudMonitor API, the Alibaba Cloud account to which the RAM user belongs must attach policies to the RAM user.

Resources

In CloudMonitor, you can grant only the permissions on specific actions. You cannot grant the permissions on specific resources. You can describe resources only by using the wildcard character (*), which indicates all resources.

Actions

The actions on CloudMonitor are divided into two types: the actions on monitoring data and the actions on the instances of the Alibaba Cloud services monitored by CloudMonitor. The RAM user must have the permissions to perform both types of actions because the monitoring data in CloudMonitor is collected from the monitored instances of the Alibaba Cloud services. If the RAM user does not have the permissions to perform the actions on the monitored instances, the RAM user cannot query the monitored instances, query the monitoring data collected from the instances, or configure alerts based on the monitoring data.

If you have no special requirements, we recommend that you use the default system policies provided by Resource Access Management (RAM): AliyunCloudMonitorFullAccess and AliyunCloudMonitorReadOnlyAccess. These two system policies contain the permissions to read and manage CloudMonitor data and the permissions to read the data of the monitored instances.

If system policies cannot meet your requirements, you can configure a custom policy. When you customize a policy, use the wildcard character (*) to describe resources. Example: cms:Describe*.

  • To grant the permissions to manage CloudMonitor, set the action to cms:*.

  • The following actions can be used to grant the read-only permissions on CloudMonitor.

    • cms:Get*

    • cms:List*

    • cms:Query*

    • cms:BatchQuery*

    • cms:Describe*

    • cms:Cursor

    • cms:BatchGet

    • cms:BatchExport

  • The following table lists the actions for querying the instances of the Alibaba Cloud services monitored by CloudMonitor.

    Note

    The Alibaba Cloud services that can be monitored by CloudMonitor are continually updated. The following table lists only the actions for querying the instances of main Alibaba Cloud services.

    Alibaba Cloud service

    Action

    Elastic Compute Service (ECS)

    ecs:DescribeInstances

    ApsaraDB RDS

    rds:DescribeDBInstances

    rds:DescribeReplicas

    Server Load Balancer (SLB)

    DescribeLoadBalancer*

    Virtual Private Cloud (VPC)

    vpc:DescribeEipAddresses

    vpc:DescribeRouterInterfaces

    vpc:DescribeGlobalAccelerationInstances

    vpc:DescribeVpnGateways

    vpc:DescribeNatGateways

    vpc:DescribeBandwidthPackages

    vpc:DescribeCommonBandwidthPackages

    Object Storage Service (OSS)

    oss:ListBuckets

    Simple Log Service

    log:ListProject

    Alibaba Cloud CDN

    cdn:DescribeUserDomains

    Message Service (MNS)

    mns:ListQueue

    mns:ListTopic

    Auto Scaling

    ess:DescribeScalingGroups

    ApsaraDB for Memcache (OCS)

    ocs:DescribeInstances

    ApsaraDB for Redis

    kvstore:DescribeInstances

    kvstore:DescribeLogicInstanceTopology

    ApsaraDB for HBase

    hbase:DescribeClusterList

    Lindorm

    hitsdb:DescribeHiTSDBInstanceList

    HybridDB for MySQL

    petadata:DescribeInstances

    petadata:DescribeDatabases

    AnalyticDB for PostgreSQL

    gpdb:DescribeDBInstances

    E-MapReduce

    emr:ListClusters

    OpenSearch

    opensearch:ListApps

    Elasticsearch

    elasticsearch:ListInstance

    ApsaraDB for MongoDB

    mongodb:DescribeDBInstances

    NAT Gateway

    netgateway:DescribeNatGateways

    Anti-DDoS

    ddos:DescribeInstancePage

    Cloud Enterprise Network (CEN)

    cen:DescribeCens

    cen:DescribeCenAttachedChildInstances

    ApsaraMQ for Kafka

    kafka:GetKafkaInstanceList

    Secure CDN (SCDN)

    scdn:DescribeScdnUserDomains

    Dynamic Content Delivery Network (DCDN)

    dcdn:DescribeDcdnUserDomains

    PolarDB

    polardb:DescribeDBInstances

  • In most cases, you can specify the action in the cms:{Operation name} format to grant the permissions on specific API operations. For example, to grant only the permissions on CreateMonitorGroupNotifyPolicy, set the action to cms:CreateMonitorGroupNotifyPolicy. The actions for a few API operations do not comply with the preceding format. The following table lists the actions for these API operations.

    API operation

    Action

    CreateHybridMonitorNamespace

    cms:CreateCustomNamespace

    DeleteHybridMonitorNamespace

    cms:DeleteCustomNamespace

    PutCustomEvent

    cms:PutEvent

    DescribeMetricTop

    cms:QueryMetricTop

    DescribeMetricList

    cms:QueryMetricList

    DescribeMetricLast

    cms:QueryMetricLast

    DescribeMetricData

    cms:QueryMetricData

    DescribeMetricEventList

    cms:QueryEvent