如何删除ARMS服务关联角色AliyunServiceRoleForARMS - 应用实时监控服务ARMS

本文介绍ARMS服务关联角色AliyunServiceRoleForARMS以及如何删除该角色。

背景信息

ARMS服务关联角色AliyunServiceRoleForARMS是ARMS在某些情况下，为了完成自身的某个功能，需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息请参见服务关联角色。

AliyunServiceRoleForARMS应用场景

ARMS Prometheus监控功能需要访问容器服务ACK、日志服务SLS、云服务器ECS和专有网络VPC云服务的资源时，可通过自动创建的ARMS服务关联角色AliyunServiceRoleForARMS获取访问权限。

AliyunServiceRoleForARMS权限说明

AliyunServiceRoleForARMS具备以下云服务的访问权限：

容器服务ACK的访问权限

{
            "Action": [
                "cs:ScaleCluster",
                "cs:DeleteCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:CheckKritisInstall",
                "cs:GetKritisAttestationAuthority",
                "cs:GetKritisGenericAttestationPolicy",
                "cs:CreateCluster",
                "cs:AttachInstances",
                "cs:InstallKritis",
                "cs:InstallKritisAttestationAuthority",
                "cs:InstallKritisGenericAttestationPolicy",
                "cs:DeleteCluster",
                "cs:UpdateClusterTags",
                "cs:DeleteClusterNodes",
                "cs:UninstallKritis",
                "cs:DeleteKritisAttestationAuthority",
                "cs:DeleteKritisGenericAttestationPolicy",
                "cs:UpdateKritisAttestationAuthority",
                "cs:UpdateKritisGenericAttestationPolicy",
                "cs:UpgradeCluster",
                "cs:DeleteClusterNode",
                "cs:GetClusterLogs"
            ],
            "Resource": [
                "acs:cs:*:*:cluster/*"
            ],
            "Effect": "Allow"
        }

日志服务SLS的访问权限

{
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:GetLogStoreLogs",
                "log:GetHistograms",
                "log:GetLogStoreHistogram",
                "log:GetLogStore",
                "log:ListLogStores",
                "log:CreateLogStore",
                "log:DeleteLogStore",
                "log:UpdateLogStore",
                "log:GetCursorOrData",
                "log:GetCursor",
                "log:PullLogs",
                "log:ListShards",
                "log:PostLogStoreLogs",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:DeleteConfig",
                "log:GetConfig",
                "log:ListConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:DeleteMachineGroup",
                "log:GetMachineGroup",
                "log:ListMachineGroup",
                "log:ListMachines",
                "log:ApplyConfigToGroup",
                "log:RemoveConfigFromGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:GetShipperStatus",
                "log:RetryShipperTask",
                "log:CreateConsumerGroup",
                "log:UpdateConsumerGroup",
                "log:DeleteConsumerGroup",
                "log:ListConsumerGroup",
                "log:UpdateCheckPoint",
                "log:HeartBeat",
                "log:GetCheckPoint",
                "log:CreateIndex",
                "log:DeleteIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch",
                "log:GetSavedSearch",
                "log:DeleteSavedSearch",
                "log:ListSavedSearch",
                "log:CreateDashboard",
                "log:UpdateDashboard",
                "log:GetDashboard",
                "log:DeleteDashboard",
                "log:ListDashboard",
                "log:CreateJob",
                "log:UpdateJob"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }

云服务器ECS的访问权限

{
            "Action": [
                "ecs:DescribeInstanceAutoRenewAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeInstanceVncUrl",
                "ecs:DescribeSpotPriceHistory",
                "ecs:DescribeUserdata",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeDisks",
                "ecs:DescribeSnapshots",
                "ecs:DescribeAutoSnapshotPolicy",
                "ecs:DescribeSnapshotLinks",
                "ecs:DescribeImages",
                "ecs:DescribeImageSharePermission",
                "ecs:DescribeClassicLinkInstances",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:DescribeSecurityGroupReferences",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeNetworkInterfaces",
                "ecs:DescribeTags",
                "ecs:DescribeRegions",
                "ecs:DescribeZones",
                "ecs:DescribeInstanceMonitorData",
                "ecs:DescribeEipMonitorData",
                "ecs:DescribeDiskMonitorData",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeInstanceTypeFamilies",
                "ecs:DescribeTasks",
                "ecs:DescribeTaskAttribute",
                "ecs:DescribeInstanceAttribute",
                "ecs:InvokeCommand",
                "ecs:CreateCommand",
                "ecs:StopInvocation",
                "ecs:DeleteCommand",
                "ecs:DescribeCommands",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:ModifyCommand",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }

专有网络VPC的访问权限

{
       "Action": [
           "vpc:DescribeVpcs",
           "vpc:DescribeVSwitches"
       ],
       "Resource": "*",
       "Effect": "Allow"
}

删除AliyunServiceRoleForARMS

如果您使用了ARMS Prometheus监控功能，并且需要删除ARMS服务关联角色AliyunServiceRoleForARMS，例如出于安全考虑，需要删除该角色，则需要先明确删除后的影响：删除AliyunServiceRoleForARMS后，无法将当前账号下的K8s集群同步至ARMS控制台的K8s集群列表中，与此同时，ARMS控制台将停止获取及写入相关监控数据。

删除AliyunServiceRoleForARMS的操作步骤如下：

说明

如果当前账号下的K8s集群安装了ARMS Prometheus监控Agent，则需先删除Agent后才能删除AliyunServiceRoleForARMS，否则提示删除失败，详情请参见卸载监控插件。

登录RAM控制台，在左侧导航栏选择身份管理 > 角色。
在角色页面的搜索框中，输入AliyunServiceRoleForARMS，自动搜索到名称为AliyunServiceRoleForARMS的RAM角色。
在右侧操作列，单击删除。
在删除RAM角色对话框，单击确定。
- 如果当前账号下的K8s集群安装了ARMS Prometheus监控Agent，则需先删除Agent后才能删除AliyunServiceRoleForARMS，否则提示删除失败，详情请参见卸载监控插件。
- 如果当前账号下的K8s集群已卸载ARMS Prometheus监控Agent，则可直接删除AliyunServiceRoleForARMS。

常见问题

为什么我的RAM用户无法自动创建ARMS服务关联角色AliyunServiceRoleForARMS？

您需要拥有指定的权限，才能自动创建或删除AliyunServiceRoleForARMS。因此，在RAM用户无法自动创建AliyunServiceRoleForARMS时，您需为其添加以下权限策略。

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "arms.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

说明

请将主账号ID替换为您实际的阿里云账号（主账号）ID。