Application Real-Time Monitoring Service:Embed an ARMS console page into a self-managed web application

Workflow

The following figure shows the process of accessing ARMS from an external system.

Step 1: Create a RAM user and grant permissions to the RAM user

Use your Alibaba Cloud account to create a RAM user and authorize the RAM user to call Security Token Service (STS) to assume RAM roles.

1. Create a RAM user. For more information, see Create a RAM user.

2. Grant the AliyunSTSAssumeRoleAccess permission to the RAM user. For more information, see Grant permissions to a RAM user.

   

Step 2: Create a RAM role and grant permissions to the RAM role

Create a RAM role and grant the RAM role the permissions to access the ARMS console. Then, the RAM user can assume the RAM role to access the ARMS console.

1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.

2. Grant full or read-only permissions to the RAM role. For more information, see Grant permissions to a RAM role.

   • AliyunARMSFullAccess: full access permissions on ARMS

   • AliyunARMSReadOnlyAccess: read-only permissions on ARMS

     Important

     To grant the read-only permissions on all ARMS features to a specific resource group, you must attach the AliyunARMSReadOnlyAccess policy to and grant the ReadTraceApp permission to the resource group. Otherwise, ARMS cannot display the application list that belongs to the authenticated resource group.

Step 3: Obtain the temporary AccessKey pair and STS token

Log on to the application and call the AssumeRole operation of STS to obtain the temporary AccessKey pair and STS token. They are used as temporary credentials. For more information about the AssumeRole operation, see AssumeRole.

You can call the AssumeRole operation by using one of the following methods:

• Use OpenAPI Explorer.

• Use RAM SDK for Java.

RAM SDK for Java is used as an example.

Set the following parameters when you use the SDK for Java:

String accessKey = "<accessKeyId>"; // AccessKey ID of the RAM user. 
String accessSecret = "<accessKeySecret>"; // AccessKey secret of the RAM user. 
String roleArn = "<roleArn>"; // Alibaba Cloud Resource Name (ARN) of the RAM role.

The AccessKey ID and AccessKey secret of the RAM user are provided when the RAM user is created. For more information, see Create an AccessKey pair.

Perform the following steps to obtain the ARN of the RAM role:

1. Log on to the RAM console as a RAM user who has administrative rights.

2. In the left-side navigation pane, choose Identities > Roles.

3. On the Roles page, click the name of the RAM role that you created.

4. On the page that appears, copy the value of the ARN parameter in the Basic Information section.

Step 4: Obtain the logon token

After you call the AssumeRole operation to obtain the temporary AccessKey pair and STS token, call the GetSigninToken operation to obtain the logon token.

Sample request:

https://signin.alibabacloud.com/federation?Action=GetSigninToken
    &AccessKeyId=<Temporary AccessKey ID returned by STS>
    &AccessKeySecret=<Temporary AccessKey secret returned by STS>
    &SecurityToken=<Token returned by STS>
    &TicketType=mini
   

Step 5: Generate a logon-free URL

Use the obtained logon token and URL of the page that you want to embed to generate a logon-free URL.

1. In the ARMS console, obtain the URL of the page.

   URL example for the China (Hangzhou) region:

   https://arms4servims.console.alibabacloud.com/apm?iframeMode=true&pid=${pid}&regionId=${regionId}#/${pid}/home

   Endpoints for each region:

   • China:

     • Legacy console: arms4servims.console.alibabacloud.com

     • New console: armsnext4servims.console.alibabacloud.com

   • Japan: arms-jp4servims.console.alibabacloud.com

   • Southeast Asia: arms-sg4servims.console.alibabacloud.com

   • United States: arms-us4servims.console.alibabacloud.com

   • Europe: arms-eu4servims.console.alibabacloud.com

   Note

   • The URL must be a console address that belongs to Application Monitoring or Browser Monitoring. You can obtain the values of the {pid} and {regionId} parameters from the actual URL.

   • To hide the top navigation bar and the left-side navigation pane of the ARMS console, set the iframeMode parameter to true in the search section of the URL.

   • To hide only the top navigation bar, set the hideTopbar parameter to true in the search section of the URL. To hide only the left-side navigation pane, set the hideSidebar parameter to true in the search section of the URL. Setting both parameters to true is equivalent to setting the iframeMode parameter to true. If the URL contains a hash value with a number sign #, place this parameter before the sign. Example: https://trace4servims.console.alibabacloud.com/?hideTopbar=true&hideSidebar=true/#/tracing/${regionId}/list?from=now-3h&to=now&refresh=off.

2. Use the logon token and the URL of the page to generate a logon-free URL for the page.

   https://signin.alibabacloud.com/federation?Action=Login
       &LoginUrl=<The URL to which you are redirected when the logon fails and the 302 HTTP status code is returned on your self-managed website>
       &SigninToken=<The logon token you obtained>
       &Destination=<The URL of the ARMS console page>

3. Use the logon-free URL to access the page in your browser.

FAQ

What do I do if the "frame-ancestors 'self' *.aliyun.com" error message appears when I use an iframe?

If you want to use an iframe to embed an ARMS console page into an application deployed by a virtual network operator, you must add the &TicketType=mini parameter for security purposes. For information about how to add the parameter, see Step 4. For information about how to specify the logon-free URL prefixed with https://arms4servims.console.alibabacloud.com, see Step 5.