The service-linked role for CloudMonitor, AliyunServiceRoleForCloudMonitor, is a RAM role that authorizes CloudMonitor to access other Alibaba Cloud services in specific scenarios.

Note For more information about service-linked roles, see Service-linked roles.

Scenarios

When CloudMonitor automatically installs the CloudMonitor agent on hosts, CloudMonitor uses the service-linked role to obtain the permissions to use Cloud Assistant.

Permission description

This section describes the permissions of the service-linked role.

  • Name: AliyunServiceRoleForCloudMonitor
  • Policy attached to the role: AliyunServiceRolePolicyForCloudMonitor
  • Policy description: grants CloudMonitor the permissions to use Cloud Assistant to view status, run commands, and view command output on all instances of the current account.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "cloudmonitor.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "ess.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:RunCommand",
                    "ecs:DescribeInvocations",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "vpc:DescribeEipAddresses",
                    "rds:DescribeDBInstances",
                    "slb:DescribeLoadBalancers",
                    "alb:ListLoadBalancers",
                    "vpc:DescribeBandwidthPackages",
                    "cdn:DescribeUserDomains",
                    "cs:GetClusters",
                    "yundun-antiddosbag:DescribeInstanceList",
                    "yundun-ddoscoo:DescribeInstances",
                    "elasticsearch:ListInstance",
                    "emr:ListClusters",
                    "kvstore:DescribeInstances",
                    "polardb:DescribeDBClusters",
                    "vpc:DescribeCommonBandwidthPackages",
                    "yundun-ddoscoo:DescribeInstanceIds",
                    "yundun-waf:DescribeDomain",
                    "dds:DescribeDBInstances",
                    "adb:DescribeDBClusters",
                    "alidns:DescribeDnsProductInstances",
                    "alidns:DescribeDomainGroups",
                    "alidns:DescribeDomains",
                    "apigateway:DescribeAppAttributes",
                    "cen:DescribeCens",
                    "cen:ListTransitRouters",
                    "cen:ListTransitRouterVpcAttachments",
                    "cen:ListTransitRouterVbrAttachments",
                    "cen:ListTransitRouterPeerAttachments",
                    "cs:GetClusterById",
                    "cs:GetClustersByUid",
                    "cs:ListClusters",
                    "cs:DescribeClusterInnerServiceKubeconfig",
                    "cs:RevokeClusterInnerServiceKubeconfig",
                    "drds:DescribeDrdsInstances",
                    "eci:DescribeContainerGroups",
                    "elasticsearch:ListLogstash",
                    "ess:DescribeScalingGroups",
                    "ess:DescribeScalingInstances",
                    "hbase:DescribeInstances",
                    "hcs-sgw:describeGateways",
                    "hitsdb:DescribeHiTSDBInstance",
                    "hitsdb:DescribeHiTSDBInstanceList",
                    "hitsdb:DescribeRegions",
                    "hitsdb:GetLindormInstanceList",
                    "mq:OnsInstanceInServiceList",
                    "mq:QueryInstanceBaseInfo",
                    "nas:DescribeFileSystems",
                    "oss:GetBucketInfo",
                    "oss:ListBuckets",
                    "privatelink:ListVpcEndpoints",
                    "privatelink:ListVpcEndpointServices",
                    "resourcemanager:ListHandshakesForResourceDirectory",
                    "vpc:DescribeNatGateways",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVpnConnections",
                    "vpc:DescribeVpnGateway",
                    "vpc:DescribeVpnGateways",
                    "vpc:DescribeRegions",
                    "vpc:DescribePhysicalConnections",
                    "vpc:DescribeVirtualBorderRouters",
                    "vpc:DescribeVirtualBorderRoutersForPhysicalConnection",
                    "yundun-waf:DescribeInstanceInfo",
                    "alikafka:ListInstance",
                    "amqp:ListInstance",
                    "yundun-sas:InstallCloudMonitor",
                    "bssapi:QueryRelationList",
                    "bssapi:QueryCostUnitResource",
                    "bssapi:QueryCostUnit",
                    "lindorm:GetLindormInstanceList",
                    "lindorm:DescribeRegions"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "cdn:StopCdnDomain"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ess:ExecuteScalingRule"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "fc:InvokeFunction"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:PostLogStoreLogs",
                    "log:ListProject",
                    "log:ListTopics",
                    "log:ListLogStores",
                    "log:ListShards",
                    "log:GetCursor",
                    "log:BatchGetLog",
                    "log:GetLogStore",
                    "log:GetCursorOrData"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "mns:SendMessage",
                    "mns:PublishMessage"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cms:DescribeMetricLast",
                    "cms:DescribeMonitoringAgentHosts",
                    "cms:DescribeMetricMetaList",
                    "cms:QueryMetricLast",
                    "cms:DescribeMetricList",
                    "cms:QueryMetricList",
                    "cms:DescribeSiteMonitorAttribute",
                    "cms:DescribeSiteMonitorList",
                    "cms:DescribeGrafana",
                    "cms:GetAction",
                    "cms:DescribeLogMonitorAttribute",
                    "cms:DescribeAlertLogCount",
                    "cms:DescribeAlertLogHistogram",
                    "cms:DescribeAlertLogList",
                    "cms:ListTaskConfig",
                    "cms:DescribeMonitorGroupByInstance"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "tag:ListTagResources",
                    "tag:DescribeRegions"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "resourcemanager:GetAccount",
                    "resourcemanager:ListAccountsForParent",
                    "resourcemanager:ListAccounts",
                    "resourcemanager:GetFolder",
                    "resourcemanager:ListFoldersForParent",
                    "resourcemanager:ListAncestors",
                    "resourcemanager:GetResourceDirectory"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }

Create the service-linked role

When CloudMonitor automatically installs the CloudMonitor agent on hosts, CloudMonitor automatically creates the service-linked role.

Delete the service-linked role

To delete the service-linked role, perform the following steps:

  1. On the Host Monitoring page, check whether Automatically Install CloudMonitor Agent on Newly Purchased ECS Instances is turned off.
    If Automatically Install CloudMonitor Agent on Newly Purchased ECS Instances is turned on, which is shown as Switch, turn the switch off, which is shown as Disabled.
  2. Delete the service-linked role.
    For more information about how to delete a service-linked role, see Delete a service-linked role.