When multiple team members need access to Application Real-Time Monitoring Service (ARMS) Managed Service for Prometheus, use Resource Access Management (RAM) to control who can view, modify, or manage Prometheus instances. This keeps each person's permissions scoped to their role and reduces the risk of unintended changes or data exposure.
ARMS provides two types of RAM policies for Prometheus access control:
System policy (
AliyunARMSPrometheusAccessAuth): Grants console access to Managed Service for Prometheus. Attach this policy to every RAM user who needs to work in the Prometheus console.Custom policy: Restricts access to specific Prometheus instances by region, resource group, or tag. Create one when the system policy is too broad.
You can scope custom policies in three ways:
| Scoping method | Use when | Example |
|---|---|---|
| Region | Teams operate in specific regions | Grant access only to cn-hangzhou instances |
| Resource group (recommended) | Your organization uses resource groups to isolate environments | Grant access to a production resource group |
| Tag | Instances are tagged by team, project, or environment | Grant access only to instances tagged team:backend |
A typical setup follows this sequence:
Attach the system policy to grant console access.
Create a custom policy to limit permissions by region, resource group, or tag.
Attach the custom policy to the RAM user.
Verify that the permissions work as expected.
Prerequisites
Before you begin, make sure that you have:
An activated ARMS instance. For more information, see Activate ARMS
Familiarity with RAM policy elements, structure, and syntax. For more information, see Policy elements
Step 1: Attach the system policy
The AliyunARMSPrometheusAccessAuth system policy grants a RAM user the permissions required to log on to the Managed Service for Prometheus console.
Log on to the RAM console with an account that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user, and click Add Permissions in the Actions column.
In the Grant Permission panel, configure the following parameters.
Parameter Value Resource Scope Account Principal The RAM user Policy AliyunARMSPrometheusAccessAuth Click Grant permissions, then click Close.
Step 2: Create a custom policy to scope by region (optional)
Create a custom policy to restrict a RAM user's access to Prometheus instances in a specific region. Skip this step if the system policy meets your requirements.
Log on to the RAM console with an account that has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab and enter the policy content. The following policy grants full Prometheus permissions in the China (Hangzhou) region: Resource ARN format:
acs:arms:<region-id>:*:prometheus/*ARN segment Description Example values acsAlibaba Cloud Service prefix Always acsarmsService name Always arms<region-id>Target region cn-hangzhou,ap-southeast-1, or*for all regions*Account ID *matches all accountsprometheus/*Resource type and ID prometheus/*matches all Prometheus instances{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "arms:List*", "arms:Get*", "arms:Update*", "arms:Exe*", "arms:Create*", "arms:Del*", "arms:Add*", "arms:Check*", "arms:Delete*", "arms:Restart*", "arms:HealthCheck*", "arms:BindPrometheus*", "arms:install*" ], "Resource": "acs:arms:cn-hangzhou:*:prometheus/*" } ] }Click OK. In the dialog box that appears, set Name and Description.
Click OK.
Step 3: Attach the custom policy to the RAM user
Log on to the RAM console with an account that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the target RAM user, and click Add Permissions in the Actions column.
In the Grant Permissions panel, configure the following parameters.
Parameter Value Resource Scope ResourceGroup Principal The RAM user Policy The custom policy created in Step 2 Click Grant permissions, then click OK.
Verify that permissions work correctly
Log on to the ARMS console as the RAM user. For more information, see Manage console logon settings for a RAM user.
In the left-side navigation pane, choose Managed service for Prometheus > Instances.
On the Instances page, click the
icon to view the resource list of the resource group.
If the RAM user does not have permissions on a resource group, an error message appears. You can ignore this error message.
Scope permissions by tag
Instead of resource group-based scoping, tags offer another way to control access to specific Prometheus instances. Add a Condition block to the custom policy from Step 2.
The following policy grants permissions only on Prometheus instances with a specific tag:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"arms:List*",
"arms:Get*",
"arms:Update*",
"arms:Exe*",
"arms:Create*",
"arms:Del*",
"arms:Add*",
"arms:Check*",
"arms:Delete*",
"arms:Restart*",
"arms:HealthCheck*",
"arms:BindPrometheus*",
"arms:install*"
],
"Resource": "acs:arms:*:*:prometheus/*",
"Condition": {
"StringEquals": {
"acs:RequestTag/tagkey": [
"tagvalue"
]
}
}
}
]
}Replace tagkey and tagvalue with the actual tag key and value for your Prometheus instances.
After you apply a tag-based policy, the RAM user experiences the following behavior:
On the Prometheus instance list, an insufficient-permissions error appears because no tags are selected yet.
After selecting the tags defined in the custom policy, the instance list loads successfully.
Best practices
Start with the system policy, then refine with a custom policy. Attach
AliyunARMSPrometheusAccessAuthfirst for baseline console access, then create a custom policy to narrow permissions to specific regions, resource groups, or tags.Use resource groups for organization-wide access control. Resource group-based scoping is the recommended approach for managing access to Prometheus instances across teams or environments.
Apply the principle of least privilege. Grant only the actions and resources each RAM user needs. Avoid wildcards (
*) for both region and resource unless the user genuinely requires access to all Prometheus instances in all regions.Combine scoping methods as needed. Use region-based scoping to restrict geographic access, resource groups to isolate environments, and tags for project- or team-level control.