Configure Prometheus monitoring permissions for a RAM user in Container Service - Managed Service for Prometheus

This document describes how to configure permissions for a RAM user to manage Prometheus monitoring in the Container Service console.

Prerequisites

You have the permissions to install components in the Container Service console. For more information, see Use RAM to grant access permissions to clusters and cloud resources.
You have activated Prometheus Service.

RAM user permission configuration

Permission configuration to install or update Prometheus monitoring

You can grant permissions to a RAM user using one of the following methods:

Grant the RAM user the AliyunCloudMonitorFullAccess system policy.

Grant the RAM user custom permissions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease",
        "cms:GetPrometheusInstance",
        "log:QueryPrometheusMetrics",
        "log:GetLogStoreLogs",
        "cms:CreateAddonRelease",
        "cms:UpdateAddonRelease"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Permission configuration to view Prometheus monitoring

You can grant permissions to a RAM user using one of the following methods:

Grant the RAM user the AliyunCloudMonitorReadOnlyAccess system policy.

Grant the RAM user custom permissions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease",
        "cms:GetPrometheusInstance",
        "log:QueryPrometheusMetrics",
        "log:GetLogStoreLogs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Configuration for resource group-scoped permissions

If you grant a RAM user the AliyunCloudMonitorFullAccess or AliyunCloudMonitorReadOnlyAccess permission and restrict the permission to a resource group, you cannot install the component or view the dashboard in the Container Service console. This is because the current version of Prometheus Service is not fully integrated with resource groups. Grant the following additional permissions to the RAM user:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cms:GetCmsService",
        "cms:ListIntegrationPolicies",
        "cms:ListIntegrationPolicyDashboards",
        "cms:GetAddonRelease"
      ],
      "Resource": [
        "acs:cms:*:{userId}:cmsservice/*",
        "acs:cms:*:{userId}:integrationpolicy/*",
        "acs:cms:*:{userId}:addonrelease/*"
      ]
    }
  ]
}