When accessing Kibana or an Elasticsearch cluster over a virtual private cloud (VPC) using a PrivateLink endpoint, creating and managing Beats shippers, or handling manual snapshots in Elasticsearch, Elasticsearch needs to assume specific service-linked roles. This guide will walk you through the use of these roles with real-world examples and necessary permissions.
This role is essential when accessing Kibana or an Elasticsearch node in the cloud-native control architecture over your VPC. If the role does not exist, Elasticsearch will automatically create it and assign the needed permissions.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
This role is required when creating and managing Beats shippers. Elasticsearch creates the role if it doesn't exist and assigns the necessary permissions for operations like data collection from ECS instances or Kubernetes clusters.
{
"Version": "1",
"Statement": [
{
"Action": [
"oos:StartExecution",
"ecs:DescribeInstances",
"cs:GetClusterById"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
}
}
}
]
}
This role allows Elasticsearch to create and restore manual snapshots by accessing OSS buckets. Elasticsearch will create this role with the appropriate permissions if it is not already present.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": "acs:oss:*:*:es-alicloud-*/*"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}
Before you can delete a service-linked role, ensure that all tasks or devices depending on the role are deleted. For more information, refer to Delete a service-linked role.
Only Alibaba Cloud accounts and RAM users with the CreateServiceLinkedRole permission can create or delete these roles. If your RAM user lacks this permission, attach the following policy:
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"elasticsearch.aliyuncs.com",
"collector.elasticsearch.aliyuncs.com",
"oss.elasticsearch.aliyuncs.com"
]
}
}
}
]
}
Replace 133071096032** with your Alibaba Cloud account ID. You can find it by logging in to the Alibaba Cloud Management Console and hovering over the profile picture at the top right corner.
Implementing and managing service-linked roles in Alibaba Cloud Elasticsearch ensures seamless and secure interactions with other Alibaba Cloud services. Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to transform your data into a visual masterpiece.
Securing Your Elasticsearch Clusters: Comprehensive Access Control Methods
Leveraging Regular Service Role for Secured Alibaba Cloud Elasticsearch Integrations
Data Geek - June 18, 2024
Data Geek - June 5, 2024
Data Geek - July 10, 2024
Data Geek - July 23, 2024
Data Geek - July 25, 2024
Data Geek - July 29, 2024
Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.
Learn MoreMetaverse is the next generation of the Internet.
Learn MoreFully managed, locally deployed Alibaba Cloud infrastructure and services with consistent user experience and management APIs with Alibaba Cloud public cloud.
Learn MoreMore Posts by Data Geek