Delete the ARMS service-linked role AliyunServiceRoleForARMS - Managed Service for Prometheus

Managed Service for Prometheus uses a service-linked role named AliyunServiceRoleForARMS to access resources in other Alibaba Cloud services on your behalf. This topic covers the role's purpose, its permissions, and how to delete it.

What is a service-linked role?

A service-linked role is a Resource Access Management (RAM) role that only a specific Alibaba Cloud service can assume. The service predefines the role's permissions, and no one can modify them. This guarantees that the service has exactly the access it needs -- nothing more, nothing less.

For more information, see Service-linked roles.

Role lifecycle

Automatic creation

When you enable Prometheus monitoring, the service automatically creates AliyunServiceRoleForARMS in your account. No manual setup is needed.

Editing

You cannot edit the permissions of AliyunServiceRoleForARMS. Application Real-Time Monitoring Service (ARMS) owns and manages the role definition. You can view the role and its policies in the RAM console, but you cannot change them.

Deletion

You can manually delete the role if you no longer use Prometheus monitoring. See Delete the AliyunServiceRoleForARMS role for instructions.

Accessed services and permissions

Prometheus monitoring assumes AliyunServiceRoleForARMS to read and manage resources across four services:

Service	Scope	What the role does
Container Service for Kubernetes (ACK)	`acs:cs:::cluster/*`	Manage cluster configurations, scale nodes, and retrieve cluster logs
Log Service	`*`	Create and manage projects, Logstores, indexes, dashboards, and machine groups for storing and querying monitoring data
Elastic Compute Service (ECS)	`*`	Describe instances, disks, security groups, and network interfaces; run Cloud Assistant commands for agent management
Virtual Private Cloud (VPC)	`*`	Describe VPCs and vSwitches for network connectivity

Permission details

AliyunServiceRoleForARMS includes the following policy actions. Use these details for security auditing.

Container Service for Kubernetes (ACK)

Manage cluster lifecycle operations, node scaling, cluster tags, and Kritis-related attestation policies.

Resource: acs:cs:*:*:cluster/*

{
    "Action": [
        "cs:ScaleCluster",
        "cs:DeleteCluster",
        "cs:GetClusterById",
        "cs:GetClusters",
        "cs:GetUserConfig",
        "cs:CheckKritisInstall",
        "cs:GetKritisAttestationAuthority",
        "cs:GetKritisGenericAttestationPolicy",
        "cs:CreateCluster",
        "cs:AttachInstances",
        "cs:InstallKritis",
        "cs:InstallKritisAttestationAuthority",
        "cs:InstallKritisGenericAttestationPolicy",
        "cs:DeleteCluster",
        "cs:UpdateClusterTags",
        "cs:DeleteClusterNodes",
        "cs:UninstallKritis",
        "cs:DeleteKritisAttestationAuthority",
        "cs:DeleteKritisGenericAttestationPolicy",
        "cs:UpdateKritisAttestationAuthority",
        "cs:UpdateKritisGenericAttestationPolicy",
        "cs:UpgradeCluster",
        "cs:DeleteClusterNode",
        "cs:GetClusterLogs"
    ],
    "Resource": [
        "acs:cs:*:*:cluster/*"
    ],
    "Effect": "Allow"
}

Log Service

Create and manage projects, Logstores, machine groups, indexes, saved searches, dashboards, and jobs for monitoring data ingestion and querying.

Resource: *

{
    "Action": [
        "log:CreateProject",
        "log:GetProject",
        "log:GetLogStoreLogs",
        "log:GetHistograms",
        "log:GetLogStoreHistogram",
        "log:GetLogStore",
        "log:ListLogStores",
        "log:CreateLogStore",
        "log:DeleteLogStore",
        "log:UpdateLogStore",
        "log:GetCursorOrData",
        "log:GetCursor",
        "log:PullLogs",
        "log:ListShards",
        "log:PostLogStoreLogs",
        "log:CreateConfig",
        "log:UpdateConfig",
        "log:DeleteConfig",
        "log:GetConfig",
        "log:ListConfig",
        "log:CreateMachineGroup",
        "log:UpdateMachineGroup",
        "log:DeleteMachineGroup",
        "log:GetMachineGroup",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:RemoveConfigFromGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetShipperStatus",
        "log:RetryShipperTask",
        "log:CreateConsumerGroup",
        "log:UpdateConsumerGroup",
        "log:DeleteConsumerGroup",
        "log:ListConsumerGroup",
        "log:UpdateCheckPoint",
        "log:HeartBeat",
        "log:GetCheckPoint",
        "log:CreateIndex",
        "log:DeleteIndex",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:CreateSavedSearch",
        "log:UpdateSavedSearch",
        "log:GetSavedSearch",
        "log:DeleteSavedSearch",
        "log:ListSavedSearch",
        "log:CreateDashboard",
        "log:UpdateDashboard",
        "log:GetDashboard",
        "log:DeleteDashboard",
        "log:ListDashboard",
        "log:CreateJob",
        "log:UpdateJob"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Elastic Compute Service (ECS)

Query instance, disk, image, and security group metadata; monitor instance performance; run Cloud Assistant commands for agent installation and management.

Resource: *

{
    "Action": [
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeSpotPriceHistory",
        "ecs:DescribeUserdata",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeDisks",
        "ecs:DescribeSnapshots",
        "ecs:DescribeAutoSnapshotPolicy",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeImages",
        "ecs:DescribeImageSharePermission",
        "ecs:DescribeClassicLinkInstances",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeTags",
        "ecs:DescribeRegions",
        "ecs:DescribeZones",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeEipMonitorData",
        "ecs:DescribeDiskMonitorData",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeTasks",
        "ecs:DescribeTaskAttribute",
        "ecs:DescribeInstanceAttribute",
        "ecs:InvokeCommand",
        "ecs:CreateCommand",
        "ecs:StopInvocation",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:DescribeInvocations",
        "ecs:DescribeInvocationResults",
        "ecs:ModifyCommand",
        "ecs:InstallCloudAssistant"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Virtual Private Cloud (VPC)

Query VPC and vSwitch configurations for network connectivity.

Resource: *

{
    "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Delete the AliyunServiceRoleForARMS role

Delete AliyunServiceRoleForARMS from your account if you no longer use Prometheus monitoring.

Important

Uninstall the Prometheus agent from every Kubernetes cluster in your account before deleting this role. The role cannot be deleted while the agent is installed. For instructions, see Uninstall the Prometheus agent.

Impact of deletion:

Your Kubernetes clusters stop synchronizing to the cluster list in the ARMS console.
ARMS stops reading and writing monitoring data.

Procedure:

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for AliyunServiceRoleForARMS.
In the Actions column, click Delete.
In the Delete RAM Role dialog box, click OK.

FAQ

Why is the AliyunServiceRoleForARMS role not automatically created for my RAM user?

Your RAM user must have the required permissions to automatically create or delete the AliyunServiceRoleForARMS role. Attach the following policy to grant the permission:

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:<your-account-id>:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "arms.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Replace <your-account-id> with your Alibaba Cloud account ID.