All Products
Search

This Product

    Application Real-Time Monitoring Service:Service-linked role for ARMS

    Document Center

    Application Real-Time Monitoring Service:Service-linked role for ARMS

    Last Updated:Mar 11, 2026

    Application Real-Time Monitoring Service (ARMS) uses the AliyunServiceRoleForARMS service-linked role to let Managed Service for Prometheus access resources in other Alibaba Cloud services on your behalf, such as Container Service for Kubernetes (ACK), Simple Log Service (SLS), Elastic Compute Service (ECS), and Virtual Private Cloud (VPC). The AliyunServiceRoleForARMS role is automatically created, so you do not need to configure cross-service permissions manually.

    For more information about service-linked roles, see Service-linked roles.

    Permissions of the AliyunServiceRoleForARMS role

    The AliyunServiceRoleForARMS role grants access to four Alibaba Cloud services:

    ServiceAccess scope
    Container Service for Kubernetes (ACK)Read cluster configurations, manage cluster nodes, and manage Kritis-related components. Scoped to acs:cs:*:*:cluster/*.
    Simple Log Service (SLS)Create and manage projects, Logstores, indexes, dashboards, saved searches, machine groups, consumer groups, and jobs.
    Elastic Compute Service (ECS)Describe instances, disks, snapshots, images, security groups, network interfaces, regions, and monitoring data. Create and invoke Cloud Assistant commands.
    Virtual Private Cloud (VPC)Describe VPCs and vSwitches.

    ACK permissions

    {
    "Action": [
        "cs:ScaleCluster",
        "cs:DeleteCluster",
        "cs:GetClusterById",
        "cs:GetClusters",
        "cs:GetUserConfig",
        "cs:CheckKritisInstall",
        "cs:GetKritisAttestationAuthority",
        "cs:GetKritisGenericAttestationPolicy",
        "cs:CreateCluster",
        "cs:AttachInstances",
        "cs:InstallKritis",
        "cs:InstallKritisAttestationAuthority",
        "cs:InstallKritisGenericAttestationPolicy",
        "cs:DeleteCluster",
        "cs:UpdateClusterTags",
        "cs:DeleteClusterNodes",
        "cs:UninstallKritis",
        "cs:DeleteKritisAttestationAuthority",
        "cs:DeleteKritisGenericAttestationPolicy",
        "cs:UpdateKritisAttestationAuthority",
        "cs:UpdateKritisGenericAttestationPolicy",
        "cs:UpgradeCluster",
        "cs:DeleteClusterNode",
        "cs:GetClusterLogs"
    ],
    "Resource": [
        "acs:cs:*:*:cluster/*"
    ],
    "Effect": "Allow"
}

    SLS permissions

    {
    "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    ECS permissions

    {
    "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    VPC permissions

    {
    "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Delete the AliyunServiceRoleForARMS role

    Delete the AliyunServiceRoleForARMS role when you no longer use Managed Service for Prometheus.

    Impact of deletion:

    • Kubernetes clusters in your account stop synchronizing to the cluster list in the ARMS console.

    • ARMS stops reading and writing monitoring data to the ARMS console.

    Prerequisites

    Uninstall the Prometheus agent from the Kubernetes cluster in your account. The role cannot be deleted while the agent is still installed. For instructions, see Uninstall the Prometheus agent.

    Procedure

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, enter AliyunServiceRoleForARMS in the search box.

    4. In the Actions column, click Delete.

    5. In the Delete RAM Role dialog box, click OK.

    FAQ

    Why is the AliyunServiceRoleForARMS role not automatically created for my RAM user?

    You must obtain the required permissions to automatically create or delete the AliyunServiceRoleForARMS role. To allow the role to be automatically created for your RAM user, attach the following policy to your RAM user:

    {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<account-id>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "arms.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

    Replace <account-id> with your Alibaba Cloud account ID.