All Products
Search

This Product

    :RAM authentication

    Document Center

    :RAM authentication

    Last Updated:Oct 08, 2024

    Before a Resource Access Management (RAM) user calls the CloudMonitor API, the Alibaba Cloud account to which the RAM user belongs must attach policies to the RAM user.

    Resources

    In CloudMonitor, you can grant only the permissions on specific actions. You cannot grant the permissions on specific resources. You can describe resources only by using the wildcard character (*), which indicates all resources.

    Actions

    The actions on CloudMonitor are divided into two types: the actions on monitoring data and the actions on the instances of the Alibaba Cloud services monitored by CloudMonitor. The RAM user must have the permissions to perform both types of actions because the monitoring data in CloudMonitor is collected from the monitored instances of the Alibaba Cloud services. If the RAM user does not have the permissions to perform the actions on the monitored instances, the RAM user cannot query the monitored instances, query the monitoring data collected from the instances, or configure alerts based on the monitoring data.

    If you have no special requirements, we recommend that you use the default system policies provided by RAM: AliyunCloudMonitorFullAccess and AliyunCloudMonitorReadOnlyAccess. These two system policies contain the permissions to read and manage CloudMonitor data and the permissions to read the data of the monitored instances.

    If system policies cannot meet your requirements, you can configure a custom policy. When you customize a policy, use the wildcard character (*) to describe resources. Example: cms:Describe*.

    • To grant the permissions to manage CloudMonitor, set the action to cms:*.

    • The following actions can be used to grant the read-only permissions on CloudMonitor.

      • cms:Get*

      • cms:List*

      • cms:Query*

      • cms:BatchQuery*

      • cms:Describe*

      • cms:Cursor

      • cms:BatchGet

      • cms:BatchExport

    • The following table lists the actions for querying the instances of the Alibaba Cloud services monitored by CloudMonitor.

      Note

      The Alibaba Cloud services that can be monitored by CloudMonitor are continually updated. The following table lists only the actions for querying the instances of main Alibaba Cloud services.

      Alibaba Cloud service

      Action

      Elastic Compute Service (ECS)

      ecs:DescribeInstances

      ApsaraDB RDS

      rds:DescribeDBInstances

      rds:DescribeReplicas

      Server Load Balancer (SLB)

      DescribeLoadBalancer*

      Virtual Private Cloud (VPC)

      vpc:DescribeEipAddresses

      vpc:DescribeRouterInterfaces

      vpc:DescribeGlobalAccelerationInstances

      vpc:DescribeVpnGateways

      vpc:DescribeNatGateways

      vpc:DescribeBandwidthPackages

      vpc:DescribeCommonBandwidthPackages

      Object Storage Service (OSS)

      oss:ListBuckets

      Simple Log Service

      log:ListProject

      Alibaba Cloud CDN

      cdn:DescribeUserDomains

      Simple Message Queue (formerly MNS)

      mns:ListQueue

      mns:ListTopic

      Auto Scaling (ESS)

      ess:DescribeScalingGroups

      ApsaraDB for Memcache

      ocs:DescribeInstances

      ApsaraDB for Redis

      kvstore:DescribeInstances

      kvstore:DescribeLogicInstanceTopology

      ApsaraDB for HBase

      hbase:DescribeClusterList

      Time Series Database (TSDB)

      hitsdb:DescribeHiTSDBInstanceList

      HybridDB for MySQL

      petadata:DescribeInstances

      petadata:DescribeDatabases

      AnalyticDB for PostgreSQL

      gpdb:DescribeDBInstances

      E-MapReduce

      emr:ListClusters

      OpenSearch

      opensearch:ListApps

      Elasticsearch

      elasticsearch:ListInstance

      ApsaraDB for MongoDB

      mongodb:DescribeDBInstances

      NAT Gateway

      netgateway:DescribeNatGateways

      Anti-DDoS Proxy

      ddos:DescribeInstancePage

      Cloud Enterprise Network (CEN)

      cen:DescribeCens

      cen:DescribeCenAttachedChildInstances

      ApsaraMQ for Kafka

      kafka:GetKafkaInstanceList

      SCDN

      scdn:DescribeScdnUserDomains

      Dynamic Content Delivery Network (DCDN)

      dcdn:DescribeDcdnUserDomains

      PolarDB

      polardb:DescribeDBInstances

    • In most cases, you can specify the action in the cms:{Operation name} format to grant the permissions on specific API operations. For example, to grant only the permissions on CreateMonitorGroupNotifyPolicy, set the action to cms:CreateMonitorGroupNotifyPolicy. The actions for a few API operations do not comply with the preceding format. The following table lists the actions for these API operations.

      API operation

      Action

      CreateHybridMonitorNamespace

      cms:CreateCustomNamespace

      DeleteHybridMonitorNamespace

      cms:DeleteCustomNamespace

      PutCustomEvent

      cms:PutEvent

      DescribeMetricTop

      cms:QueryMetricTop

      DescribeMetricList

      cms:QueryMetricList

      DescribeMetricLast

      cms:QueryMetricLast

      DescribeMetricData

      cms:QueryMetricData

      DescribeMetricEventList

      cms:QueryEvent