Create custom policies for Alibaba Cloud Elasticsearch-Elasticsearch(ES)-阿里云帮助中心

If the system policies for Alibaba Cloud Elasticsearch do not meet your requirements, you can create custom policies for fine-grained access control. This topic describes how to create a custom policy and provides policy examples for granting permissions to specific instances and tags.

Background information

Alibaba Cloud Elasticsearch supports the following system policies:

Policy name	Description
AliyunElasticsearchReadOnlyAccess	Grants read-only permissions on Alibaba Cloud Elasticsearch or Logstash instances. This policy is intended for read-only users.
AliyunElasticsearchFullAccess	Grants full management permissions on Alibaba Cloud Elasticsearch instances, Logstash instances, and Beats collectors for administrators.

Note

These policies do not include permissions for Serverless, CloudMonitor, or tags. You must create custom policies to grant these permissions. For more information, see Specific instance policy and Policies for Elasticsearch Serverless.

Prerequisites

You are familiar with the basic structure and syntax of policy language. For more information, see Policy structure and syntax.

Usage notes

Custom policies take effect at the account level, not at the resource group level. To display only specific resources in the console for a RAM user, grant permissions by using a resource group. For more information, see Authorize a RAM user to manage specific instances by using a resource group.

Procedure

To create a custom policy, see Create a custom policy on the JSON tab. You can enter a policy document based on your business requirements, or import and modify an existing system policy.

Example policy documents:

Permission to access the Virtual Private Cloud (VPC) resources that belong to your Alibaba Cloud account.

"elasticsearch:DescribeVpcs","elasticsearch:DescribeVSwitches"
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "elasticsearch:DescribeVpcs",
        "elasticsearch:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Permission for a RAM user to pay for orders.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "bss:PayOrder"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

For more policy examples, see Policy examples.

Policy examples

Important

Before you use the following code examples, replace the placeholders with your actual information:

<yourAccountId>: Replace this with your Alibaba Cloud Account ID. Wildcard characters (*) are not supported. To find your Account ID, hover over your user avatar in the upper-right corner of the console to view the Account ID.
<yourInstanceId>: Replace this with the ID of the target instance. Wildcard characters (*) are not supported. To find the Instance ID, see View the basic information of an instance.

Administrator policy

The following policy grants a RAM user under the Alibaba Cloud account <yourAccountId> full operational permissions on all Alibaba Cloud Elasticsearch instances.

{
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cms:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "bss:PayOrder",
            "Effect": "Allow",
            "Resource": "*"
        },
       {
       "Action": "ims:*",
       "Effect": "Allow",
       "Resource": "acs:ims::<yourAccountId>:application/*"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "collector.elasticsearch.aliyuncs.com",
                        "ops.elasticsearch.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}

Specific instance policy

The following policy grants a RAM user under the Alibaba Cloud account <yourAccountId> the following permissions:

Permissions for CloudMonitor.
Permissions to perform all Elasticsearch-related operations on a specific instance.
Permissions to view the list of instances.
Permissions to view the tags of all instances.
Permissions to view the list of collectors.

Note

The instance management page in the Alibaba Cloud Elasticsearch console integrates with external services such as Beats collectors, Advanced Monitoring and Alerting, and tags. Therefore, when you grant permissions on a specific instance, you must also grant permissions for these dependent services as shown in the following policy example.

{
    "Statement": [
        {
            "Action": [
                "elasticsearch:*"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
        },
        {
            "Action": [
                "cms:DescribeActiveMetricRuleList",
                "cms:ListAlarm",
                "cms:QueryMetricList"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "elasticsearch:ListTags"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:tags/*"
        },
        {
            "Action": [
                "elasticsearch:ListInstance",
                "elasticsearch:ListSnapshotReposByInstanceId"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
        },
        {
            "Action": [
                "elasticsearch:ListLogstash"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:logstashes/*"
        }, 
        {
            "Action": [
                "elasticsearch:ListCollectors"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
        },
        {
            "Action": [
                "elasticsearch:GetEmonProjectList"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonProjects/*"
        },
        {
            "Action": [
                "elasticsearch:getEmonUserConfig"
            ],
            "Effect": "Allow",
            "Resource": "acs:elasticsearch:*:*:emonUserConfig/*"
        }
    ],
    "Version": "1"
}

Table 1. Action
Action	Description
`[ "cms:DescribeActiveMetricRuleList", "cms:ListAlarm", "cms:QueryMetricList" ]`	Permissions for CloudMonitor. The following list describes each permission: `cms:DescribeActiveMetricRuleList`: The permission to query the Alibaba Cloud services for which CloudMonitor is activated. `cms:ListAlarm`: The permission to query all or specific alert rule settings. `cms:QueryMetricList`: The permission to query monitoring data of a specific service instance over a period of time.
`"bss:PayOrder"`	The permission to pay for orders. After this permission is granted, the RAM user can pay for instance purchase orders.
`"ims:*"`	To use Advanced Monitoring and Alerting, you must grant the RAM user `ims` permissions. You can also log on to the Advanced Monitoring and Alerting console with your Alibaba Cloud account to manually grant permissions to the RAM user. For more information, see Step 1: View and configure visualized monitoring. Note Identity Management Service (IMS) manages identity metadata and authentication configurations for Alibaba Cloud RAM users. IMS also provides standard protocols to enable federated authentication and user data synchronization with external Identity Providers (IDPs).
`[ "elasticsearch:DescribeVpcs", "elasticsearch:DescribeVSwitches" ]`	Grants a RAM user permission to access your account's Virtual Private Cloud (VPC) and vSwitch lists. This allows the user to select a VPC and vSwitch when creating an instance. Important When you grant a RAM user the permission to create an instance, you must also include the `["bss:PayOrder"]` Action. Otherwise, the user will encounter a permission error during the purchase.
`[ "elasticsearch:*" ]`	Grants all operational permissions on Alibaba Cloud Elasticsearch instances. This allows the RAM user to perform any operation on all or specified instances. Important The `elasticsearch:*` permission does not include permissions for Advanced Monitoring and Alerting, CloudMonitor, or tags. You must grant these permissions separately. Without these permissions, users will encounter an error when accessing the feature pages. They can, however, still use other authorized functions after dismissing the error message.
`[ "elasticsearch:ListTags" ]`	Grants permission to view the tags for Alibaba Cloud Elasticsearch instances.
`[ "elasticsearch:ListInstance", "elasticsearch:ListSnapshotReposByInstanceId" ]`	`elasticsearch:ListInstance`: The permission to view the list of Alibaba Cloud Elasticsearch instances. `elasticsearch:ListSnapshotReposByInstanceId`: The permission to view the list of cross-cluster OSS repository settings.
`[ "elasticsearch:ListCollectors" ]`	Grants permission to view the list of Beats collectors in the console.
`[ "elasticsearch:ListLogstash" ]`	Grants permission to view the list of all Logstash instances for a region on the instance list page.
`[ "elasticsearch:GetEmonProjectList" ]`	The permission to obtain the list of instance monitoring projects. Important This Action must be used with the `["elasticsearch:getEmonUserConfig"]` Action. Otherwise, a permission error occurs when the user enters the instance monitoring page.
`[ "elasticsearch:getEmonUserConfig" ]`	The permission to obtain user configurations for instance monitoring.

Table 2. Effect
Effect	Description
Allow	Allows the RAM user to perform the operations specified in the Action element.
Deny	Prohibits the RAM user from performing the operations specified in the Action element.

Table 3. Resource
For more information about the Resource element, see RAM authorization for Elasticsearch.
Parameter	Description
*	All instance resources.
<yourInstanceId>	A specific instance resource. You must replace this with the ID of the target instance. To find the ID, see View the basic information of an instance.

Policies for Elasticsearch Serverless

Policy content for AliyunElasticsearchServerlessReadOnlyAccess (grants read-only access to Alibaba Cloud Elasticsearch Serverless; intended for read-only users):

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "es-serverless:List*",
        "es-serverless:Describe*",
        "es-serverless:Get*"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "es-serverless:ListAccessTokens",
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}

Policy content for AliyunElasticsearchServerlessFullAccess (grants full access to manage Alibaba Cloud Elasticsearch Serverless; intended for administrators):
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "es-serverless:*",
      "Resource": "*"
    }
  ]
}
```

API permissions

The following table lists the Resource and Action elements for Elasticsearch API operations.

Method	URI	Resource	Action
GET	/instances	instances/*	ListInstance
POST	/instances	instances/*	CreateInstance
GET	/instances/instanceId	instances/instanceId	DescribeInstance
DELETE	/instances/instanceId	instances/instanceId	DeleteInstance
POST	/instances/instanceId/actions/restart	instances/instanceId	RestartInstance
PUT	/instances/instanceId	instances/instanceId	UpdateInstance

Next steps

After you create a custom policy, grant permissions to a RAM user by using the RAM console, an API, or an SDK. For more information, see Grant permissions to a RAM user.