Embed Managed Service for OpenTelemetry console pages in your web application so your team can view tracing data -- applications, application details, and traces -- without switching to the Alibaba Cloud console.
The embedding flow uses Resource Access Management (RAM) and Security Token Service (STS) to generate logon-free URLs. RAM policies control the page layout (hide navigation bars) and access level (full or read-only).
How it works
The embedding flow uses STS-based federated logon to grant temporary, scoped access to console pages:
| Phase | Steps | Frequency |
|---|---|---|
| One-time setup | Create a RAM user and a RAM role with the required policies | Once |
| Per-session flow | Get temporary credentials, exchange them for a logon token, and build a logon-free URL | Every session (tokens expire after 3 hours) |
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account with RAM administrative privileges (or the
AliyunRAMFullAccesspolicy)A self-managed web application with a backend capable of making HTTP requests
Step 1: Create a RAM user and grant the STS AssumeRole permission
Create a RAM user that your application backend uses to call the STS AssumeRole operation.
Log on to the RAM console.
In the left-side navigation pane, choose Identity > Users.
On the Users page, click Create User.
On the Create User page, configure the following settings:
In the User Account Information section, set Logon Name and Display Name.
In the Access Mode section, select Using permanent AccessKey to access.
Click OK.
ImportantRAM automatically generates an AccessKey pair for the RAM user. The AccessKey pair is displayed only once. Copy and store the AccessKey ID and AccessKey secret before closing the page. For more information, see Create an AccessKey pair.
On the Users page, find the RAM user and click Add Permissions in the Actions column.
To grant permissions to multiple RAM users at once, select the users and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following settings:
Set Resource Scope:
Account: The permission applies to the current Alibaba Cloud account.
ResourceGroup: The permission applies to a specific resource group. See Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
ImportantBefore you set Resource Scope to ResourceGroup, confirm that the cloud service supports resource groups. See Services that work with Resource Group.
Confirm the Principal (the RAM user you are granting permissions to). The system automatically selects the current RAM user as the principal.
In the Policy section, select AliyunSTSAssumeRoleAccess.
Click Grant permissions.
Click Close.
Step 2: Create a RAM role and grant Managed Service for OpenTelemetry permissions
Create a RAM role that defines what the embedded console session can access.
Grant permissions to the RAM role. Choose one of the following policies based on the access level you need:
Policy Access level AliyunTracingAnalysisFullAccessFull read and write access to Managed Service for OpenTelemetry AliyunTracingAnalysisReadOnlyAccessRead-only access to Managed Service for OpenTelemetry ImportantThe RAM role permissions determine what data and operations are available in the embedded console.
Step 3: Get a temporary AccessKey pair and STS token
From your application backend, call the STS AssumeRole operation to get temporary credentials. Use one of the following methods:
Replace the placeholders in the sample code with your actual values:
String akId = "<your-access-key-id>";
String ak = "<your-access-key-secret>";
String roleArn = "<your-role-arn>";| Placeholder | Description | Where to find it |
|---|---|---|
<your-access-key-id> | AccessKey ID of the RAM user created in Step 1 | RAM console > Users > User details |
<your-access-key-secret> | AccessKey secret of the RAM user created in Step 1 | Saved during Step 1 (displayed only once) |
<your-role-arn> | Alibaba Cloud Resource Name (ARN) of the RAM role created in Step 2 | RAM console > Roles > Role details |
Step 4: Get a logon token
Call the GetSigninToken operation to exchange the temporary credentials from Step 3 for a logon token.
The STS token may contain special characters. URL-encode the token before including it in the request.
http://signin4service.alibabacloud.com/federation?Action=GetSigninToken
&AccessKeyId=<temporary-access-key-id>
&AccessKeySecret=<temporary-access-key-secret>
&SecurityToken=<sts-token>
&TicketType=miniAdd the &TicketType=mini parameter only if your web application is deployed on a partner cloud platform.
Step 5: Build a logon-free URL
Combine the logon token from Step 4 with the console page URL to build a logon-free URL.
Get the target console page URL. For example, the Applications page for the China (Hangzhou) region:
https://trace4servims.console.alibabacloud.com/#/overview/cn-hangzhou(Optional) Append layout parameters to the console page URL to hide navigation elements:
Parameter Effect Example hideTopbar=trueHides the top navigation bar https://trace4servims.console.alibabacloud.com/#/overview/cn-hangzhou?hideTopbar=truehideSidebar=trueHides the left-side navigation pane https://trace4servims.console.alibabacloud.com/#/overview/cn-hangzhou?hideSidebar=trueTo hide both, combine the parameters:
?hideTopbar=true&hideSidebar=trueBuild the logon-free URL:
http://signin.alibabacloud.com/federation?Action=Login &LoginUrl=<your-login-failure-redirect-url> &SigninToken=<logon-token> &Destination=<console-page-url>Parameter Description LoginUrlThe URL that users are redirected to if logon fails (returns HTTP 302) SigninTokenThe logon token from Step 4 DestinationThe Managed Service for OpenTelemetry console page URL (with optional layout parameters)
Handle token expiration
Temporary STS tokens expire after 3 hours. To maintain uninterrupted access:
Generate a new logon token on each page request from your application backend.
Perform a 302 redirect to the updated logon-free URL.
Result
The Managed Service for OpenTelemetry console page appears inside your web application:
Sample code
Download the complete sample code (Java). This example embeds the Applications page of the Managed Service for OpenTelemetry console into a self-managed web application.