If you manage multiple Alibaba Cloud accounts, you can centralize monitoring and enable cross-account tracing for your applications. To achieve this, send application data to a single account and use RAM users or RAM roles to grant other users permission to view or manage the data.
Before you begin
Cross-account monitoring requires you to manually manage data reporting, authorization, billing, and fine-grained permissions for each account. This adds operational overhead. For most multi-account organizations, managing applications within each account is simpler. Evaluate whether centralized monitoring justifies the added complexity before proceeding.
Terminology
| Term | Definition |
|---|---|
| Monitoring account (Account A) | The Alibaba Cloud account that runs ARMS and receives monitoring data from other accounts. |
| Source account (Account B) | The Alibaba Cloud account whose applications report data to the monitoring account. |
Solution
This topic provides a solution for the following scenario: An organization uses two Alibaba Cloud accounts, Account A and Account B. ARMS is activated in Account A, and ACK is activated in Account B. The goal is to connect applications from Account B to ARMS in Account A for centralized monitoring.
-
In Account A, create a RAM user and grant the AliyunARMSFullAccess and AliyunSTSAssumeRoleAccess permissions. For more information, see Create a RAM user.
-
Create an AccessKey pair for the RAM user. For more information, see Create an AccessKey pair.
-
Install the Application Monitoring eBPF agent for the applications in Account B. For more information, see Manually connect applications to Application Monitoring eBPF.
-
In the ACK console for the target cluster, navigate to the page. Find the ack-arms-cmonitor component and click Update in the Actions column.
-
Replace
accessKeyandaccessKeySecretwith the AccessKey ID and secret obtained in Step 2, and replaceuid_idwith the UID of Account A. Then, click OK.The ACK applications in Account B then begin reporting data to ARMS in Account A.
In the Update Release dialog box, locate and replace these parameters in the YAML configuration editor.
-
Manage applications by using a RAM user from Account A.
-
Method 1: Use the RAM user that you created in Step 1 to manage applications.
-
Method 2: Create a dedicated RAM user in Account A to manage applications.
Create a RAM user in Account A and grant full ARMS permissions by attaching the AliyunARMSFullAccess policy, or grant fine-grained permissions with a custom policy. For more information about how to create a custom policy, see Custom RAM authorization for Application Monitoring.
NoteYou can also use a RAM user from Account B to manage applications by assuming a RAM role. For more information, see (Optional) Use a RAM role to manage applications.
-
(Optional) Manage applications with a RAM role
You can also authorize a RAM user from Account B to access ARMS. This allows the user to access ARMS by switching their identity.
Step 1: Grant permissions to Account B
-
Use Account A to create a RAM role for a trusted Alibaba Cloud account. For this example, name the role
arms-admin. Select Account B as the trusted account.For more information, see Create a RAM role for a trusted Alibaba Cloud account.
-
Grant permissions to the
arms-adminRAM role in Account A. You can grant full ARMS permissions by attaching the AliyunARMSFullAccess policy, or grant fine-grained permissions with a custom policy.-
For more information about how to create a custom policy, see Custom RAM authorization for Application Monitoring.
-
For more information about how to grant permissions to a RAM role, see Grant permissions to a RAM role.
-
-
Create a RAM user in Account B.
For more information, see Create a RAM user.
ImportantSave the logon name and password of the RAM user.
-
Grant the AliyunSTSAssumeRoleAccess permission to the RAM user in Account B. This permission lets the RAM user assume a RAM role.
For more information, see Grant permissions to a RAM user.
Step 2: Manage applications as a RAM user from Account B
-
Log on to the RAM console as the RAM user from Account B.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
-
After you log on, move the pointer over the profile icon in the upper-right corner and click Switch Identity.
-
Enter the UID of Account A and the name of the RAM role you created for Account A in Step 1.
For more information, see Assume a RAM role.
-
Log on to the ARMS console. In the left-side navigation pane, choose to view your applications.