本文檔介紹子帳號在Container Service控制台管理Prometheus監控時的許可權配置。
前提
使用者具有Container Service控制台的安裝組件許可權,詳見使用RAM授予叢集及雲資源存取權限。
使用者已開通Prometheus監控服務。
子帳號許可權配置
安裝/更新阿里雲Prometheus監控的許可權配置
可以使用以下兩種方式之一給子帳號進行授權:
授予子帳號系統策略AliyunCloudMonitorFullAccess許可權。
授予子帳號自訂許可權。
{ "Version": "1", "Statement": [ { "Action": [ "cms:GetCmsService", "cms:ListIntegrationPolicies", "cms:ListIntegrationPolicyDashboards", "cms:GetAddonRelease", "cms:GetPrometheusInstance", "log:QueryPrometheusMetrics", "log:GetLogStoreLogs", "cms:CreateAddonRelease", "cms:UpdateAddonRelease" ], "Resource": "*", "Effect": "Allow" } ] }
查看阿里雲Prometheus監控的許可權配置
可以使用以下兩種方式之一給子帳號進行授權:
授予子帳號系統策略AliyunCloudMonitorReadOnlyAccess許可權。
授予子帳號自訂許可權。
{ "Version": "1", "Statement": [ { "Action": [ "cms:GetCmsService", "cms:ListIntegrationPolicies", "cms:ListIntegrationPolicyDashboards", "cms:GetAddonRelease", "cms:GetPrometheusInstance", "log:QueryPrometheusMetrics", "log:GetLogStoreLogs" ], "Resource": "*", "Effect": "Allow" } ] }
限定子帳號資源群組許可權下的配置
在授予子帳號AliyunCloudMonitorFullAccess、AliyunCloudMonitorReadOnlyAccess許可權時,若限制了資源群組,由於當前Prometheus監控新版本還未完全對接資源群組,會導致容器控制台安裝、查看監控大盤失敗,需要單獨給子帳號增加如下授權:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:GetCmsService",
"cms:ListIntegrationPolicies",
"cms:ListIntegrationPolicyDashboards",
"cms:GetAddonRelease"
],
"Resource": [
"acs:cms:*:{userId}:cmsservice/*",
"acs:cms:*:{userId}:integrationpolicy/*",
"acs:cms:*:{userId}:addonrelease/*"
]
}
]
}