All Products
Search

This Product

    Application Real-Time Monitoring Service:Monitor applications across Alibaba Cloud accounts

    Document Center

    Application Real-Time Monitoring Service:Monitor applications across Alibaba Cloud accounts

    Last Updated:Mar 11, 2026

    Application Real-Time Monitoring Service (ARMS) can aggregate monitoring data from multiple Alibaba Cloud accounts into a single account. This gives you centralized visibility into traces, metrics, and application topology across your organization without switching between accounts.

    This guide covers two deployment scenarios:

    • ACK applications -- applications running in Container Service for Kubernetes (ACK) clusters

    • ECS applications -- applications deployed on Elastic Compute Service (ECS) instances

    Before you begin

    Cross-account monitoring requires you to manually manage data reporting, authorization, billing, and fine-grained permissions for each account. This adds operational overhead. For most multi-account organizations, managing applications within each account is simpler. Evaluate whether centralized monitoring justifies the added complexity before proceeding.

    Terminology

    TermDefinition
    Monitoring account (Account A)The Alibaba Cloud account that runs ARMS and receives monitoring data from other accounts.
    Source account (Account B)The Alibaba Cloud account whose applications report data to the monitoring account.

    ACK applications

    To report ACK application data from a source account to ARMS in the monitoring account, configure the ack-onepilot component with the monitoring account's credentials.

    Step 1: Create a RAM user in the monitoring account

    1. Log on to the Resource Access Management (RAM) console with the monitoring account (Account A).

    2. Create a RAM user and attach the following policies: For detailed steps, see Create a RAM user.

      • AliyunARMSFullAccess

      • AliyunSTSAssumeRoleAccess

    Step 2: Create an AccessKey pair

    Create an AccessKey pair for the RAM user you created in Step 1. Save the AccessKey ID and AccessKey secret -- you need them in Step 4.

    For detailed steps, see Create an AccessKey pair.

    Important

    Store the AccessKey pair securely. Do not embed credentials directly in application code or configuration files that are committed to version control.

    Step 3: Install the ARMS agent

    Install the ARMS agent (ack-onepilot component) for the applications in the source account (Account B).

    For detailed steps, see Automatically install an ARMS agent in ACK.

    Step 4: Update the ack-onepilot configuration

    Important

    The ack-onepilot component must be version 3.0.14 or later. Cross-account data reporting requires the AccessKey pair configuration introduced in v3.0.14. For release notes, see ack-onepilot.

    1. Log on to the ACK console.

    2. On the cluster details page, choose Applications > Helm in the left-side navigation pane.

    3. Find ack-onepilot and click Update in the Actions column.

    4. Set the following parameters:

      ParameterValue
      accessKeyThe AccessKey ID from Step 2
      accessKeySecretThe AccessKey secret from Step 2
      uidThe ID of the monitoring account (Account A)

    5. Click OK.

    After you save the configuration, ACK application data from the source account starts reporting to ARMS in the monitoring account.

    ack-onepilot configuration

    Step 5: Set up access for application management

    Choose one of the following approaches to manage the monitored applications:

    ApproachWhen to useSteps
    Use the existing RAM userYou want the simplest setupThe RAM user from Step 1 already has the AliyunARMSFullAccess policy. No additional configuration is required.
    Create a dedicated RAM userYou want separate credentials for monitoring vs. data reportingCreate a new RAM user in the monitoring account (Account A). Attach the AliyunARMSFullAccess policy for full access, or attach a custom policy for fine-grained permissions. See Attach a custom policy to a RAM user.
    Use a RAM role (cross-account delegation)You do not want to share monitoring account credentials with the source account teamLet a RAM user from the source account assume a role in the monitoring account. See (Optional) Use a RAM role to manage applications.

    ECS applications

    To report ECS application data from a source account to ARMS in the monitoring account, install the ARMS agent with the monitoring account's license key.

    Step 1: Get the license key

    1. Log on to the ARMS console with the monitoring account (Account A).

    2. Go to the Integration Center page and copy the license key.

    Important

    Each Alibaba Cloud account has a unique license key.

    Integration Center - license key

    Step 2: Install the ARMS agent

    Download the ARMS agent installation package and install the agent on each ECS-deployed application in the source account (Account B). Use the license key from Step 1 during installation.

    For detailed steps, see Manually install an ARMS agent.

    Step 3: Set up access for application management

    Create a RAM user in the monitoring account (Account A). Attach the AliyunARMSFullAccess policy for full ARMS access, or attach a custom policy for fine-grained permissions.

    For details, see Attach a custom policy to a RAM user.

    Note

    As an alternative, a RAM user from the source account can assume a RAM role in the monitoring account. See (Optional) Use a RAM role to manage applications.

    (Optional) Use a RAM role to manage applications

    If you prefer not to share monitoring account RAM user credentials with the source account team, delegate access through a RAM role instead. A RAM user from Account B assumes a role in Account A to access ARMS -- no Account A credentials are shared.

    Step 1: Grant permissions to the source account

    1. Create a RAM role in the monitoring account. Log on to the RAM console with Account A. Create a RAM role whose trusted entity is an Alibaba Cloud account, and set Account B as the trusted entity. In this example, the role is named arms-admin. For detailed steps, see Create a RAM role for a trusted Alibaba Cloud account.

      RAM role configuration

    2. Attach a policy to the RAM role. Attach the AliyunARMSFullAccess policy to the arms-admin role for full ARMS permissions. For fine-grained access, attach a custom policy instead.

    3. Create a RAM user in the source account. Create a RAM user in Account B. For detailed steps, see Create a RAM user.

      Important

      Save the username and password of the RAM user.

    4. Grant the RAM user permission to assume the role. Using Account B, attach the AliyunSTSAssumeRoleAccess policy to the RAM user created in the previous step. For detailed steps, see Grant permissions to a RAM user.

    Step 2: Access ARMS from the source account

    1. Log on to the RAM console as the RAM user from Account B. For detailed steps, see Log on to the Alibaba Cloud Management Console as a RAM user.

    2. Hover over the profile avatar and click Switch Identity.

    3. Enter the ID of Account A and the name of the RAM role, such as arms-admin. For detailed steps, see Assume a RAM role.

    4. Open the ARMS console. In the left-side navigation pane, choose Application Monitoring > Applications to view the monitored applications.