CloudMonitor supports RAM. This allows you to control permissions for Cloud Service Monitoring metric data, alarm rule management, alarm contact and alarm contact group management through subaccounts.
Note: Currently, metric data queries are supported for the following cloud products:
Server Load Balancer
ApsaraDB for Redis
In RAM system permissions, the Read-only CloudMonitor access permission only authorizes subaccounts to view the metric data. If you want to authorize subaccounts to apply alarm rules, see the following Alarm management section to know how to create or modify new authorizations.
Besides basic subaccount permission control, RAM currently supports time, MFA, and IP authentication.
Currently, RAM does not support fine-grained resource descriptions. Only the “*” wildcard is used for resource authorization.
Data query actions are divided into two groups: Product instance list display and CloudMonitor metric data queries. When authorizing a subaccount to log on to the CloudMonitor portal and view metric data, you must also grant the subaccount permissions for the corresponding product’s instance list and metric data query.
For metric data authorization, access the RAM product’s system authorization policy and select Read-only CloudMonitor access permission.
Metric data query action:
Product instance list display actions are as follows.
|ApsaraDB for Redis||DescribeInstances|
Currently, alarm management does not support fine-grained operations. After being granted the following permissions, a subaccount can add, delete, query, and modify alarm rules, alarm contacts, and alarm contact groups.
To allow a subaccount to use the alarm functions, add the following permissions: