If you want to upload a plug-in or dictionary file stored in Object Storage Service (OSS) via the Elasticsearch console, you can use the OSS URL for this process. This requires a regular service role for Alibaba Cloud Elasticsearch, authorizing Elasticsearch to access and load the file from the OSS URL without altering permissions on the OSS bucket.
A regular service role is a RAM role whose trusted entity is an Alibaba Cloud service. These roles facilitate authorized access across different Alibaba Cloud services. For more details, refer to the RAM role overview.
If the regular service role does not exist when uploading a dictionary via the OSS URL, you need to create the role and attach the required policy. This way, Elasticsearch can assume the role to access the file, ensuring higher data security than making the OSS bucket publicly readable.
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetObjectMetadata",
"oss:GetObjectMeta"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
You can delete the regular service role in the RAM console. However, note that deleting this role will disable features dependent on it. For more information, see Delete a RAM role.
To define finer-grained permissions, create a custom RAM policy and attach it to the role.
Tags can be used to manage bucket permissions. Here’s how to add a tag to a bucket:
1)Log on to the OSS console.
2)Navigate to Buckets > Bucket Settings > Bucket Tagging.
3)Click Create Tag and add the desired tag.
Create a custom policy that specifies the bucket or the tag in the condition. Example:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetObjectMetadata",
"oss:GetObjectMeta"
],
"Resource": [
"acs:oss:*:193248xxxxxxx:*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"oss:BucketTag/key1":"value1"
}
}
}
]
}
Attach this custom policy to the AliyunElasticsearchAccessingOSSRole role.
For Elasticsearch clusters deployed in the cloud-native control architecture (e.g., versions V7.16, V8.5, or V8.9), only the regular service role enables the clusters to read dictionary files stored in OSS. Ensure complete authorization on the authorization page. This role is required for:
Implementing a regular service role in Alibaba Cloud Elasticsearch ensures secure and efficient access to OSS resources. Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to transform your data into a visual masterpiece.
Click here to embark on Your 30-Day Free Trial
Mastering Elasticsearch Service-Linked Roles with Alibaba Cloud Elasticsearch
Unlocking the Power of Alibaba Cloud Elasticsearch: A Step-by-Step Guide to Accessing Your Cluster
Data Geek - April 28, 2024
Data Geek - May 13, 2024
Data Geek - June 20, 2024
Data Geek - April 25, 2024
Data Geek - April 24, 2024
Data Geek - April 29, 2024
Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.
Learn MoreProvides scalable, distributed, and high-performance block storage and object storage services in a software-defined manner.
Learn MoreAn encrypted and secure cloud storage service which stores, processes and accesses massive amounts of data from anywhere in the world
Learn MorePlan and optimize your storage budget with flexible storage services
Learn MoreMore Posts by Data Geek