本文档介绍子账号在容器服务控制台管理Prometheus监控时的权限配置。
前提
用户具有容器服务控制台的安装组件权限,详见使用RAM授予集群及云资源访问权限。
用户已开通Prometheus监控服务。
子账号权限配置
安装/更新阿里云Prometheus监控的权限配置
可以使用以下两种方式之一给子账号进行授权:
授予子账号系统策略AliyunCloudMonitorFullAccess权限。
授予子账号自定义权限。
{ "Version": "1", "Statement": [ { "Action": [ "cms:GetCmsService", "cms:ListIntegrationPolicies", "cms:ListIntegrationPolicyDashboards", "cms:GetAddonRelease", "cms:GetPrometheusInstance", "log:QueryPrometheusMetrics", "log:GetLogStoreLogs", "cms:CreateAddonRelease", "cms:UpdateAddonRelease" ], "Resource": "*", "Effect": "Allow" } ] }
查看阿里云Prometheus监控的权限配置
可以使用以下两种方式之一给子账号进行授权:
授予子账号系统策略AliyunCloudMonitorReadOnlyAccess权限。
授予子账号自定义权限。
{ "Version": "1", "Statement": [ { "Action": [ "cms:GetCmsService", "cms:ListIntegrationPolicies", "cms:ListIntegrationPolicyDashboards", "cms:GetAddonRelease", "cms:GetPrometheusInstance", "log:QueryPrometheusMetrics", "log:GetLogStoreLogs" ], "Resource": "*", "Effect": "Allow" } ] }
限定子账号资源组权限下的配置
在授予子账号AliyunCloudMonitorFullAccess、AliyunCloudMonitorReadOnlyAccess权限时,若限制了资源组,由于当前Prometheus监控新版本还未完全对接资源组,会导致容器控制台安装、查看监控大盘失败,需要单独给子账号增加如下授权:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cms:GetCmsService",
"cms:ListIntegrationPolicies",
"cms:ListIntegrationPolicyDashboards",
"cms:GetAddonRelease"
],
"Resource": [
"acs:cms:*:{userId}:cmsservice/*",
"acs:cms:*:{userId}:integrationpolicy/*",
"acs:cms:*:{userId}:addonrelease/*"
]
}
]
}