×
Community Blog Mastering Elasticsearch Service-Linked Roles with Alibaba Cloud Elasticsearch

Mastering Elasticsearch Service-Linked Roles with Alibaba Cloud Elasticsearch

Discover various scenarios, code examples, and best practices for seamless integration and enhanced data security.

Introduction

When accessing Kibana or an Elasticsearch cluster over a virtual private cloud (VPC) using a PrivateLink endpoint, creating and managing Beats shippers, or handling manual snapshots in Elasticsearch, Elasticsearch needs to assume specific service-linked roles. This guide will walk you through the use of these roles with real-world examples and necessary permissions.

Use Cases for Elasticsearch Service-Linked Roles

AliyunServiceRoleForElasticsearch

This role is essential when accessing Kibana or an Elasticsearch node in the cloud-native control architecture over your VPC. If the role does not exist, Elasticsearch will automatically create it and assign the needed permissions.

Policy Document Example

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:AssignIpv6Addresses",
        "ecs:AssignPrivateIpAddresses",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeSecurityGroups",
        "ecs:DetachNetworkInterface",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:UnassignIpv6Addresses",
        "ecs:UnassignPrivateIpAddresses"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:AddZone",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZone",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForElasticsearchCollector

This role is required when creating and managing Beats shippers. Elasticsearch creates the role if it doesn't exist and assigns the necessary permissions for operations like data collection from ECS instances or Kubernetes clusters.

Policy Document Example

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oos:StartExecution",
        "ecs:DescribeInstances",
        "cs:GetClusterById"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

AliyunServiceRoleForElasticsearchOSS

This role allows Elasticsearch to create and restore manual snapshots by accessing OSS buckets. Elasticsearch will create this role with the appropriate permissions if it is not already present.

Policy Document Example

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:DeleteObject"
      ],
      "Resource": "acs:oss:*:*:es-alicloud-*/*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

Deleting a Service-Linked Role

Before you can delete a service-linked role, ensure that all tasks or devices depending on the role are deleted. For more information, refer to Delete a service-linked role.

FAQ

Why can't I use my RAM user to create an Elasticsearch service-linked role?

Only Alibaba Cloud accounts and RAM users with the CreateServiceLinkedRole permission can create or delete these roles. If your RAM user lacks this permission, attach the following policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "elasticsearch:InitializeOperationRole",
      "Resource": "acs:ram:*:133071096032****:role/*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "acs:ram:*:133071096032****:role/*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "elasticsearch.aliyuncs.com",
            "collector.elasticsearch.aliyuncs.com",
            "oss.elasticsearch.aliyuncs.com"
          ]
        }
      }
    }
  ]
}

Replace 133071096032** with your Alibaba Cloud account ID. You can find it by logging in to the Alibaba Cloud Management Console and hovering over the profile picture at the top right corner.

Conclusion

Implementing and managing service-linked roles in Alibaba Cloud Elasticsearch ensures seamless and secure interactions with other Alibaba Cloud services. Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to transform your data into a visual masterpiece.

Click here to embark on Your 30-Day Free Trial

0 0 0
Share on

Data Geek

99 posts | 4 followers

You may also like

Comments

Data Geek

99 posts | 4 followers

Related Products

  • Alibaba Cloud Elasticsearch

    Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.

    Learn More
  • Metaverse Solution

    Metaverse is the next generation of the Internet.

    Learn More
  • CloudBox

    Fully managed, locally deployed Alibaba Cloud infrastructure and services with consistent user experience and management APIs with Alibaba Cloud public cloud.

    Learn More