In the realm of Elasticsearch operations on Alibaba Cloud, efficiency and security are paramount. Service-Linked Roles (SLRs) play a pivotal role in streamlining access control and enabling secure interactions with other cloud services. This in-depth guide explores the nuances of Elasticsearch SLRs, their application scenarios, and how they simplify managing your Elasticsearch clusters, Beats shippers, and snapshot activities.
Alibaba Cloud Elasticsearch automatically provisions and manages SLRs to facilitate specific operations without manual intervention. These roles are pre-defined with the least privilege necessary, enhancing both security and operational simplicity.
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
{
"Version": "1",
"Statement": [
{
"Action": [
"oos:CancelExecution",
"oos:DeleteExecutions",
"oos:GenerateExecutionPolicy",
"oos:GetExecutionTemplate",
"oos:ListExecutionLogs",
"oos:ListExecutions",
"oos:ListTaskExecutions",
"oos:NotifyExecution",
"oos:StartExecution",
"oos:ListTagResources",
"oos:TagResources",
"oos:UntagResources",
"oos:CreateTemplate",
"oos:DeleteTemplate",
"oos:GetTemplate",
"oos:ListExecutionRiskyTasks",
"oos:ListTemplates",
"oos:UpdateTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeCloudAssistantStatus"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cs:GetUserConfig",
"cs:GetClusters",
"cs:GetClusterById"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
}
}
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
"Condition": {
"StringEquals": {
"acs:Service": "oos.aliyuncs.com"
}
}
}
]
}
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}
Deleting a service-linked role requires careful planning. Before deletion, ensure no dependent tasks or devices exist. For detailed steps, refer to Alibaba Cloud's documentation on deleting a service-linked role.
Q: Why am I unable to use my RAM user to create an Elasticsearch service-linked role?
A: Only Alibaba Cloud accounts and RAM users that have the CreateServiceLinkedRole permission can be used to create or delete a service-linked role. Therefore, if your RAM user cannot be used to automatically create the service-linked role, you must attach the following policy to your RAM user. For more information, see Grant permissions to RAM users.
Alibaba Cloud Elasticsearch, coupled with its robust Service-Linked Roles, offers unparalleled ease in managing your data indexing, search, and analytics tasks. By automating permissions and enhancing security, it empowers businesses to focus on insights rather than infrastructure complexities.
Ready to revolutionize your data handling capabilities? with Alibaba Cloud Elasticsearch today. Experience firsthand how our tailored cloud solutions can transform your data into actionable intelligence, unlocking new avenues for growth and innovation.
Field Renaming Mastery with Logstash in Alibaba Cloud Elasticsearch
Data Geek - July 2, 2024
Alibaba Cloud Community - December 28, 2022
Data Geek - May 30, 2024
5544031433091282 - October 3, 2023
Maya Enda - June 16, 2023
ray - April 25, 2024
Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.
Learn MoreAlibaba Cloud DNS PrivateZone is a Virtual Private Cloud-based (VPC) domain name system (DNS) service for Alibaba Cloud users.
Learn MoreA cloud solution for smart technology providers to quickly build stable, cost-efficient, and reliable ubiquitous platforms
Learn MoreConnect your VPCs to services in other VPCs through secure, reliable, and private connections.
Learn MoreMore Posts by Data Geek