All Products
Search

This Product

    Managed Service for Prometheus:RAM-based access control

    Document Center

    Managed Service for Prometheus:RAM-based access control

    Last Updated:Jan 06, 2025

    In resource collaboration scenarios, you can create multiple Resource Access Management (RAM) users with various responsibilities and grant different permissions to them. This allows RAM users to manage resources in a decentralized manner, improves management efficiency, and reduces the risk of information leakage. This topic describes how to create a RAM user and attach policies to it to restrict access to Managed Service for Prometheus instances.

    Prerequisites

    • Application Real-Time Monitoring Service (ARMS) is activated. For more information, see Activate ARMS.

    • You have a basic knowledge of policy elements, structure, and syntax before creating a custom policy. For more information, see Policy elements.

    Step 1: Attach the AliyunARMSPrometheusAccessAuth system policy to the RAM user

    The AliyunARMSPrometheusAccessAuth system policy grants RAM users the permissions to log on to the Managed Service for Prometheus console.

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user, and click Add Permissions in the Actions column.

    4. In the Grant Permission panel, set the parameters listed in the following table.

      Parameter

      Description

      Resource Scope

      Set this parameter to Account.

      Principal

      The RAM user.

      Policy

      Select AliyunARMSPrometheusAccessAuth.

    5. Click Grant permissions and click Close.

    (Optional) Step 2: Create a custom policy

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab and enter the policy content in the editor. The following example shows how to grant access permissions on Prometheus instances in the China (Hangzhou) region. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "arms:List*",
        "arms:Get*",
        "arms:Update*",
        "arms:Exe*",
        "arms:Create*",
        "arms:Del*",
        "arms:Add*",
        "arms:Check*",
        "arms:Delete*",
        "arms:Restart*",
        "arms:HealthCheck*",
        "arms:BindPrometheus*",
        "arms:install*"
      ],
      "Resource": "acs:arms:cn-hangzhou:*:prometheus/*"
    }
  ]
}

    5. Click OK. In the dialog box that appears, set Name and Description.

    6. Click OK.

    Step 3: Attach the custom policy to the RAM user

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user, and click Add Permissions in the Actions column.

    4. In the Grant Permissions panel, set the parameters listed in the following table.

      Parameter

      Description

      Resource Scope

      Set this parameter to ResourceGroup to apply the permissions to the resource group.

      Principal

      The RAM user.

      Policy

      Select the custom policy created in Step 2.

    5. Click Grant permissions and click OK.

    Step 4: Verify the permissions

    1. After you attach the preceding policies to the RAM user, log on to the ARMS console as the RAM user. For more information, see Manage console logon settings for a RAM user.

    2. In the left-side navigation pane, choose Managed service for Prometheus > Instances.

    3. On the Instances page, click the image icon to view the resource list of the resource group.

      image

      Note

      If you do not have the required permissions on the resource group, ignore the error message that appears.

      image

    Related steps

    • We recommend that you perform the preceding steps to grant permissions on Prometheus resources in a resource group in a fine-grained manner.

    • If you want to use tags to grant permissions, you can modify the custom policy created in Step 2 by adding a condition. The following policy shows that the permission on Prometheus instances with specific tags is available. Replace the values of tagkey and tagvalue based on your business requirements. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "arms:List*",
        "arms:Get*",
        "arms:Update*",
        "arms:Exe*",
        "arms:Create*",
        "arms:Del*",
        "arms:Add*",
        "arms:Check*",
        "arms:Delete*",
        "arms:Restart*",
        "arms:HealthCheck*",
        "arms:BindPrometheus*",
        "arms:install*"
      ],
      "Resource": "acs:arms:*:*:prometheus/*",
      "Condition": {
        "StringEquals": {
          "acs:RequestTag/tagkey": [
            "tagvalue"
          ]
        }
      }
    }
  ]
}

    • After you use tags to grant permissions, perform the following steps:

    1. Go to the Prometheus instance list. The first time that you view the list, you are prompted that you do not have sufficient permissions, because no tags are selected.

    2. After you select one or more tags, you can view the instance list.

      Select the tags defined in the custom policy.

      image