Error configuring ApsaraDB RDS or PolarDB data source-OpenSearch(Open Search)-阿里云帮助中心

This topic describes how to resolve insufficient permission errors for a RAM user.

Problem and solution

Background

To configure a data source in OpenSearch, OpenSearch needs to access resources of other Alibaba Cloud services, such as ApsaraDB RDS, PolarDB, and DRDS. A service-linked role is used to grant this access. For more information, see OpenSearch service-linked role.

Problem

When you use a RAM user to configure an ApsaraDB RDS data source, an error occurs.

An Error message dialog box appears, displaying the message Internal Error and the error code InternalError.

Solution

To resolve this issue, use your Alibaba Cloud account to add the AliyunServiceRoleForOpenSearch role. This role provides the necessary permissions to access the ApsaraDB RDS data source. Follow these steps:

Log on to the Alibaba Cloud console with your Alibaba Cloud account and navigate to the Access Control console.

In the left-side navigation pane, click Roles. On the Roles page, search for AliyunServiceRoleForOpenSearch.

If the role already exists, no further action is required. If it does not exist, you must create it manually.

Optional: Create the AliyunServiceRoleForOpenSearch role.
1. In the left-side navigation pane, choose Identities > Roles, and then click Create Role.
2. Select Alibaba Cloud Service and click Next.
  
  In the Select Type step of the Create Role dialog box, Select Trusted Entity Type includes Alibaba Cloud account, Alibaba Cloud service, and identity provider.
3. Select Service Linked Role, search for OpenSearch, and then click OK.

After the role is created, you can find the role on the Roles page by searching for AliyunServiceRoleForOpenSearch.

This role contains the permissions required for data source operations.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDBInstances",
                "rds:DescribeDatabases",
                "rds:DescribeDBInstanceIPArrayList",
                "rds:DescribeAccounts",
                "rds:DescribeAbnormalDBInstances",
                "rds:ModifySecurityIps",
                "rds:DescribeResourceUsage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstance",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:DescribeRdsList",
                "drds:DescribeDrdsDB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:ConfigureSubscriptionInstance",
                "dts:CreateConsumerGroup",
                "dts:StartSubscriptionInstance",
                "dts:DescribeSubscriptionInstanceStatus",
                "dts:DescribeConsumerGroup",
                "dts:DeleteConsumerGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "opensearch.aliyuncs.com"
                }
            }
        }
    ]
}