在阿里云Elasticsearch(简称ES)中,通过PrivateLink的终端节点实现Kibana或实例的私网访问、管理Beats采集器、手动进行数据备份恢复和使用ES集群弹性扩缩容功能时,需要通过RAM角色扮演(服务关联角色)的方式访问其他云服务的资源。在您执行上述特定操作时,如果未创建过对应的服务关联角色,系统将自动为您创建。本文将对ES和ES Serverless的服务关联角色进行介绍,并介绍如何删除服务关联角色。
应用场景
服务关联角色的应用场景如下:
AliyunServiceRoleForElasticsearch:需要在用户VPC中访问云原生管控的ES节点或Kibana时。
AliyunServiceRoleForElasticsearchCollector:创建和管理Beats采集器时。
AliyunServiceRoleForElasticsearchOSS :手动备份或恢复数据,需要使用自动授权功能关联自定义OSS Bucket时。
AliyunServiceRoleForElasticsearchOps:执行集群弹性扩缩容任务时。
AliyunServiceRoleForESServerless:ES Serverless应用或应用的Kibana开启私网访问功能时。
关于服务关联角色的详细信息,请参见服务关联角色。
ES服务关联角色介绍
AliyunServiceRoleForElasticsearch
当您需要在VPC内访问云原生管控ES实例的节点或Kibana时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色调用私网连接PrivateLink或ECS网络配置相关的API,为您创建如终端节点等资源并完成相关配置,以满足您Kibana私网访问等需求。该角色的相关说明如下:
角色名称:AliyunServiceRoleForElasticsearch
角色权限策略名称:AliyunServiceRolePolicyForElasticsearch
角色权限策略内容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
服务名称:elasticsearch.aliyuncs.com
执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
创建和管理Beats采集器时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色即可调用OpenAPI,完成Beats采集器在ECS或Kubernetes版ACK目标机器上的数据采集任务。该角色的相关说明如下:
角色名称:AliyunServiceRoleForElasticsearchCollector
角色权限策略名称:AliyunServiceRolePolicyForElasticsearchCollector
角色权限策略内容:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
服务名称:collector.elasticsearch.aliyuncs.com
执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOSS
当您需要使用您的OSS进行数据备份和恢复数据时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色通过OpenAPI访问您的OSS bucket,完成将数据备份或数据恢复的任务。该角色的相关说明如下:
角色名称:AliyunServiceRoleForElasticsearchOSS
角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOSS
角色权限策略内容:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}
服务名称:oss.elasticsearch.aliyuncs.com
执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOps
执行集群弹性扩缩容任务时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色调用集群弹性扩缩容的OpenAPI,按照您设定的时间完成集群扩缩容任务。该角色的相关说明如下:
角色名称:AliyunServiceRoleForElasticsearchOps
角色权限策略名称:AliyunServiceRolePolicyForElasticsearchOps
角色权限策略内容:
{ "Version": "1", "Statement": [ { "Action": [ "elasticsearch:ListInstance", "elasticsearch:DescribeInstance", "elasticsearch:UpdateInstance", "elasticsearch:UpdateInstanceSettings", "elasticsearch:RestartInstance", "elasticsearch:RollbackInstance", "elasticsearch:DowngradeInstance", "elasticsearch:CancelTask", "elasticsearch:DeactivateZones", "elasticsearch:ActivateZones", "elasticsearch:MigrateToOtherZone", "elasticsearch:ResumeElasticsearchTask", "elasticsearch:InterruptElasticsearchTask", "elasticsearch:UpdateAdvancedSetting", "elasticsearch:UpgradeInstanceEngineVersion", "elasticsearch:UpdateWhiteIps", "elasticsearch:UpdatePublicIps", "elasticsearch:ModifyWhiteIps", "elasticsearch:TriggerNetwork", "elasticsearch:UpdateTemplate", "elasticsearch:DescribeLogstash", "elasticsearch:UpdateLogstash", "elasticsearch:RestartLogstash", "elasticsearch:UpdateLogstashSettings", "elasticsearch:InterruptLogstashTask", "elasticsearch:ResumeLogstashTask", "elasticsearch:DowngradeLogstash" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ops.elasticsearch.aliyuncs.com" } } } ] }
服务名称:ops.elasticsearch.aliyuncs.com
执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
ES Serverless服务关联角色介绍
AliyunServiceRoleForESServerless
为ES Serverless应用或应用的Kibana开启私网访问时,如果不存在具有执行任务权限的角色,ES Serverless服务将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES Serverless服务通过扮演该角色调用私网连接PrivateLink的API,为您创建终端节点,以满足您在VPC内访问应用或Kibana的需求。该角色的相关说明如下:
角色名称:AliyunServiceRoleForESServerless
角色权限策略名称:AliyunServiceRolePolicyForESServerless
角色权限策略内容:
{
"Version": "1",
"Statement": [{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:OpenPrivateLinkService",
"privatelink:CheckProductOpen",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "es-serverless.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}
服务名称:es-serverless.aliyuncs.com
执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole
删除服务关联角色
删除服务角色前,需要先删除依赖这个服务角色的所有任务或设备。删除服务关联角色的具体操作,请参见删除服务关联角色。
常见问题
Q:为什么我的RAM用户无法创建ES的服务关联角色?
A:阿里云账号或拥有CreateServiceLinkedRole
权限的RAM用户,才能创建或删除服务关联角色。RAM用户无法自动创建服务关联角色时,需要手动为其添加以下权限策略。具体操作,请参见为RAM用户授权。
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}
Resource中的值
133071096032****
需要替换为您的阿里云账号ID。阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID。
ram:ServiceName中的值
XXX.aliyuncs.com
需要替换为对应服务关联角色的ram:ServiceName。AliyunServiceRoleForElasticsearch(开启ES实例的Kibana私网访问功能):elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchCollector(创建和管理Beats采集器):collector.elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchOSS(手动进行数据备份和恢复数据):oss.elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchOps(执行弹性扩缩容任务):ops.elasticsearch.aliyuncs.com
Q:为什么我的RAM用户无法创建ES Serverless服务关联角色AliyunServiceRoleForESServerless?
A:阿里云账号或拥有CreateServiceLinkedRole权限的RAM用户,才能自动创建或删除服务关联角色。RAM用户无法创建服务关联角色时,需要通过主账号为其添加以下权限策略,具体操作,请参见为RAM用户授权。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}
Resource中的值
133071096032****
需要替换为您的阿里云账号ID。阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID。
ram:ServiceName中的值
XXX.aliyuncs.com
需要替换为AliyunServiceRoleForESServerless服务关联角色的ram:ServiceName,即es-serverless.aliyuncs.com
。