阿里云ES服务关联角色

在阿里云Elasticsearch(简称ES)中,通过PrivateLink的终端节点实现Kibana或实例的私网访问、管理Beats采集器、手动进行数据备份恢复和使用ES集群弹性扩缩容功能时,需要通过RAM角色扮演(服务关联角色)的方式访问其他云服务的资源。在您执行上述特定操作时,如果未创建过对应的服务关联角色,系统将自动为您创建。本文将对ES和ES Serverless的服务关联角色进行介绍,并介绍如何删除服务关联角色。

应用场景

服务关联角色的应用场景如下:

  • AliyunServiceRoleForElasticsearch:需要在用户VPC中访问云原生管控的ES节点或Kibana时。

  • AliyunServiceRoleForElasticsearchCollector:创建和管理Beats采集器时。

  • AliyunServiceRoleForElasticsearchOSS :手动备份或恢复数据,需要使用自动授权功能关联自定义OSS Bucket时。

  • AliyunServiceRoleForElasticsearchOps:执行集群弹性扩缩容任务时。

  • AliyunServiceRoleForESServerless:ES Serverless应用或应用的Kibana开启私网访问功能时。

关于服务关联角色的详细信息,请参见服务关联角色

ES服务关联角色介绍

AliyunServiceRoleForElasticsearch

当您需要在VPC内访问云原生管控ES实例的节点或Kibana时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色调用私网连接PrivateLink或ECS网络配置相关的API,为您创建如终端节点等资源并完成相关配置,以满足您Kibana私网访问等需求。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearch

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearch

  • 角色权限策略内容:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:AssignIpv6Addresses",
        "ecs:AssignPrivateIpAddresses",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeSecurityGroups",
        "ecs:DetachNetworkInterface",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:UnassignIpv6Addresses",
        "ecs:UnassignPrivateIpAddresses"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:AddZone",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZone",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

服务名称:elasticsearch.aliyuncs.com

执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchCollector

创建和管理Beats采集器时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色即可调用OpenAPI,完成Beats采集器在ECS或Kubernetes版ACK目标机器上的数据采集任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchCollector

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchCollector

  • 角色权限策略内容:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oos:CancelExecution",
                    "oos:DeleteExecutions",
                    "oos:GenerateExecutionPolicy",
                    "oos:GetExecutionTemplate",
                    "oos:ListExecutionLogs",
                    "oos:ListExecutions",
                    "oos:ListTaskExecutions",
                    "oos:NotifyExecution",
                    "oos:StartExecution",
                    "oos:ListTagResources",
                    "oos:TagResources",
                    "oos:UntagResources",
                    "oos:CreateTemplate",
                    "oos:DeleteTemplate",
                    "oos:GetTemplate",
                    "oos:ListExecutionRiskyTasks",
                    "oos:ListTemplates",
                    "oos:UpdateTemplate"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cs:GetUserConfig",
                    "cs:GetClusters",
                    "cs:GetClusterById"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "oos.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • 服务名称:collector.elasticsearch.aliyuncs.com

  • 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchOSS

当您需要使用您的OSS进行数据备份和恢复数据时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色通过OpenAPI访问您的OSS bucket,完成将数据备份或数据恢复的任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchOSS

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOSS

  • 角色权限策略内容:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:GetObjectMeta",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": [
        "acs:oss:*:*:es-alicloud-*/*",
        "acs:oss:*:*:es-alicloud-*",
        "acs:oss:*:*:*/*es-alicloud*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectMeta",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/es-alicloud": [
            "es-alicloud"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

服务名称:oss.elasticsearch.aliyuncs.com

执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchOps

执行集群弹性扩缩容任务时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色调用集群弹性扩缩容的OpenAPI,按照您设定的时间完成集群扩缩容任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchOps

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOps

  • 角色权限策略内容:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "elasticsearch:ListInstance",
                    "elasticsearch:DescribeInstance",
                    "elasticsearch:UpdateInstance",
                    "elasticsearch:UpdateInstanceSettings",
                    "elasticsearch:RestartInstance",
                    "elasticsearch:RollbackInstance",
                    "elasticsearch:DowngradeInstance",
                    "elasticsearch:CancelTask",
                    "elasticsearch:DeactivateZones",
                    "elasticsearch:ActivateZones",
                    "elasticsearch:MigrateToOtherZone",
                    "elasticsearch:ResumeElasticsearchTask",
                    "elasticsearch:InterruptElasticsearchTask",
                    "elasticsearch:UpdateAdvancedSetting",
                    "elasticsearch:UpgradeInstanceEngineVersion",
                    "elasticsearch:UpdateWhiteIps",
                    "elasticsearch:UpdatePublicIps",
                    "elasticsearch:ModifyWhiteIps",
                    "elasticsearch:TriggerNetwork",
                    "elasticsearch:UpdateTemplate",
                    "elasticsearch:DescribeLogstash",
                    "elasticsearch:UpdateLogstash",
                    "elasticsearch:RestartLogstash",
                    "elasticsearch:UpdateLogstashSettings",
                    "elasticsearch:InterruptLogstashTask",
                    "elasticsearch:ResumeLogstashTask",
                    "elasticsearch:DowngradeLogstash"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "ops.elasticsearch.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • 服务名称:ops.elasticsearch.aliyuncs.com

  • 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

ES Serverless服务关联角色介绍

AliyunServiceRoleForESServerless

为ES Serverless应用或应用的Kibana开启私网访问时,如果不存在具有执行任务权限的角色,ES Serverless服务将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES Serverless服务通过扮演该角色调用私网连接PrivateLink的API,为您创建终端节点,以满足您在VPC内访问应用或Kibana的需求。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForESServerless

  • 角色权限策略名称:AliyunServiceRolePolicyForESServerless

  • 角色权限策略内容:

{
	"Version": "1",
	"Statement": [{
			"Action": [
				"privatelink:CreateVpcEndpoint",
				"privatelink:DeleteVpcEndpoint",
				"privatelink:ListVpcEndpoints",
				"privatelink:OpenPrivateLinkService",
				"privatelink:CheckProductOpen",
				"privatelink:UpdateVpcEndpointAttribute",
				"privatelink:GetVpcEndpointAttribute",
				"privatelink:AddZoneToVpcEndpoint",
				"privatelink:RemoveZoneFromVpcEndpoint",
				"privatelink:ListVpcEndpointSecurityGroups",
				"privatelink:AttachSecurityGroupToVpcEndpoint",
				"privatelink:DetachSecurityGroupFromVpcEndpoint",
				"privatelink:ListVpcEndpointZones",
				"vpc:DescribeVpcs",
				"vpc:DescribeVpcAttribute",
				"vpc:DescribeVSwitches",
				"vpc:DescribeVSwitchAttributes"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": "ram:DeleteServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "es-serverless.aliyuncs.com"
				}
			}
		},
		{
			"Action": "ram:CreateServiceLinkedRole",
			"Resource": "*",
			"Effect": "Allow",
			"Condition": {
				"StringEquals": {
					"ram:ServiceName": "privatelink.aliyuncs.com"
				}
			}
		}
	]
}
  • 服务名称:es-serverless.aliyuncs.com

  • 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

删除服务关联角色

删除服务角色前,需要先删除依赖这个服务角色的所有任务或设备。删除服务关联角色的具体操作,请参见删除服务关联角色

常见问题

Q:为什么我的RAM用户无法创建ES的服务关联角色?

A:阿里云账号或拥有CreateServiceLinkedRole权限的RAM用户,才能创建或删除服务关联角色。RAM用户无法自动创建服务关联角色时,需要手动为其添加以下权限策略。具体操作,请参见为RAM用户授权

{
    "Version": "1",
    "Statement": [
        {
            "Action": "elasticsearch:InitializeOperationRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "XXX.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
  • Resource中的值133071096032****需要替换为您的阿里云账号ID。

    阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID

  • ram:ServiceName中的值XXX.aliyuncs.com需要替换为对应服务关联角色的ram:ServiceName。

    • AliyunServiceRoleForElasticsearch(开启ES实例的Kibana私网访问功能):elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchCollector(创建和管理Beats采集器):collector.elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchOSS(手动进行数据备份和恢复数据):oss.elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchOps(执行弹性扩缩容任务):ops.elasticsearch.aliyuncs.com

Q:为什么我的RAM用户无法创建ES Serverless服务关联角色AliyunServiceRoleForESServerless?

A:阿里云账号或拥有CreateServiceLinkedRole权限的RAM用户,才能自动创建或删除服务关联角色。RAM用户无法创建服务关联角色时,需要通过主账号为其添加以下权限策略,具体操作,请参见为RAM用户授权

{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "XXX.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
  • Resource中的值133071096032****需要替换为您的阿里云账号ID。

    阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID

  • ram:ServiceName中的值XXX.aliyuncs.com需要替换为AliyunServiceRoleForESServerless服务关联角色的ram:ServiceName,即es-serverless.aliyuncs.com