Configure Prometheus monitoring permissions for a RAM user in Container Service - Managed Service for Prometheus

Configure permissions for a RAM user to manage Prometheus monitoring in the Container Service console.

Prerequisites

You have the permissions to install components in the Container Service console. For more information, see Use RAM to grant access permissions to clusters and cloud resources.
You have activated Prometheus Service.

RAM user permission configuration

Permission configuration to install or update Prometheus monitoring

You can grant permissions to a RAM user using one of the following methods:

Grant the RAM user the AliyunCloudMonitorFullAccess system policy.

Grant the RAM user custom permissions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease",
        "cms:GetPrometheusInstance",
        "log:QueryPrometheusMetrics",
        "log:GetLogStoreLogs",
        "cms:CreateAddonRelease",
        "cms:UpdateAddonRelease"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Permission configuration to view Prometheus monitoring

You can grant permissions to a RAM user using one of the following methods:

Grant the RAM user the AliyunCloudMonitorReadOnlyAccess system policy.

Grant the RAM user custom permissions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease",
        "cms:GetPrometheusInstance",
        "log:QueryPrometheusMetrics",
        "log:GetLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Configuration for resource group-scoped permissions

If you grant a RAM user the AliyunCloudMonitorFullAccess or AliyunCloudMonitorReadOnlyAccess permission and restrict it to a resource group, you cannot install the component or view the dashboard in the Container Service console because Prometheus Service is not yet fully integrated with resource groups. Grant the following additional permissions to the RAM user:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease"
      ],
      "Resource": [
        "acs:cms:*:{userId}:cmsservice/*",
        "acs:cms:*:{userId}:integrationpolicy/*",
        "acs:cms:*:{userId}:addonrelease/*"
      ]
    }
  ]
}