×
Community Blog Unleashing the Power of Elasticsearch Service-Linked Roles on Alibaba Cloud: Secure Automation at Scale

Unleashing the Power of Elasticsearch Service-Linked Roles on Alibaba Cloud: Secure Automation at Scale

Dive into the intricacies of Alibaba Cloud Elasticsearch's Service-Linked Roles for seamless VPC access, Beats management, and data snapshot operations.

In the realm of Elasticsearch operations on Alibaba Cloud, efficiency and security are paramount. Service-Linked Roles (SLRs) play a pivotal role in streamlining access control and enabling secure interactions with other cloud services. This in-depth guide explores the nuances of Elasticsearch SLRs, their application scenarios, and how they simplify managing your Elasticsearch clusters, Beats shippers, and snapshot activities.

Understanding Elasticsearch Service-Linked Roles

Alibaba Cloud Elasticsearch automatically provisions and manages SLRs to facilitate specific operations without manual intervention. These roles are pre-defined with the least privilege necessary, enhancing both security and operational simplicity.

Key Scenarios & Roles

Aliyun Service Role For Elasticsearch

  • Scenario: Accessing Kibana or Elasticsearch clusters via VPC PrivateLink endpoints.
  • Policy Example:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:AssignIpv6Addresses",
        "ecs:AssignPrivateIpAddresses",
        "ecs:AttachNetworkInterface",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:CreateNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteNetworkInterface",
        "ecs:DeleteSecurityGroup",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstances",
        "ecs:DescribeNetworkInterfaceAttribute",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroupReferences",
        "ecs:DescribeSecurityGroups",
        "ecs:DetachNetworkInterface",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:ModifyNetworkInterfaceAttribute",
        "ecs:ModifySecurityGroupAttribute",
        "ecs:ModifySecurityGroupEgressRule",
        "ecs:ModifySecurityGroupPolicy",
        "ecs:ModifySecurityGroupRule",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:UnassignIpv6Addresses",
        "ecs:UnassignPrivateIpAddresses"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:AddZone",
        "pvtz:AddZoneRecord",
        "pvtz:DeleteZone",
        "pvtz:DeleteZoneRecord",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}
  • Service Name: elasticsearch.aliyuncs.com

Aliyun Service Role For Elasticsearch Collector

  • Scenario: Managing Beats shippers for data collection.
  • Policy Example:
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oos:CancelExecution",
                "oos:DeleteExecutions",
                "oos:GenerateExecutionPolicy",
                "oos:GetExecutionTemplate",
                "oos:ListExecutionLogs",
                "oos:ListExecutions",
                "oos:ListTaskExecutions",
                "oos:NotifyExecution",
                "oos:StartExecution",
                "oos:ListTagResources",
                "oos:TagResources",
                "oos:UntagResources",
                "oos:CreateTemplate",
                "oos:DeleteTemplate",
                "oos:GetTemplate",
                "oos:ListExecutionRiskyTasks",
                "oos:ListTemplates",
                "oos:UpdateTemplate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeCloudAssistantStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cs:GetUserConfig",
                "cs:GetClusters",
                "cs:GetClusterById"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "oos.aliyuncs.com"
                }
            }
        }
    ]
}
  • Service Name: collector.elasticsearch.aliyuncs.com

Aliyun Service Role For Elasticsearch OSS

  • Scenario: Creating manual snapshots or restoring data from OSS.
  • Policy Example:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:GetObjectMeta",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": [
        "acs:oss:*:*:es-alicloud-*/*",
        "acs:oss:*:*:es-alicloud-*",
        "acs:oss:*:*:*/*es-alicloud*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetObjectMeta",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionTagging",
        "oss:DeleteObject",
        "oss:PutObject",
        "oss:GetBucketVersioning",
        "oss:GetBucketInfo",
        "oss:GetBucketAcl"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/es-alicloud": [
            "es-alicloud"
          ]
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}
  • Service Name: oss.elasticsearch.aliyuncs.com

Managing and Deleting Service-Linked Roles

Deleting a service-linked role requires careful planning. Before deletion, ensure no dependent tasks or devices exist. For detailed steps, refer to Alibaba Cloud's documentation on deleting a service-linked role.

Frequently Asked Questions

Q: Why am I unable to use my RAM user to create an Elasticsearch service-linked role?
A: Only Alibaba Cloud accounts and RAM users that have the CreateServiceLinkedRole permission can be used to create or delete a service-linked role. Therefore, if your RAM user cannot be used to automatically create the service-linked role, you must attach the following policy to your RAM user. For more information, see Grant permissions to RAM users.

Embark on Your Elasticsearch Journey with Alibaba Cloud

Alibaba Cloud Elasticsearch, coupled with its robust Service-Linked Roles, offers unparalleled ease in managing your data indexing, search, and analytics tasks. By automating permissions and enhancing security, it empowers businesses to focus on insights rather than infrastructure complexities.

Ready to revolutionize your data handling capabilities? with Alibaba Cloud Elasticsearch today. Experience firsthand how our tailored cloud solutions can transform your data into actionable intelligence, unlocking new avenues for growth and innovation.

Please Click here, Embark on Your 30-Day Free Trial

0 1 0
Share on

Data Geek

99 posts | 4 followers

You may also like

Comments

Data Geek

99 posts | 4 followers

Related Products

  • Alibaba Cloud Elasticsearch

    Alibaba Cloud Elasticsearch helps users easy to build AI-powered search applications seamlessly integrated with large language models, and featuring for the enterprise: robust access control, security monitoring, and automatic updates.

    Learn More
  • Alibaba Cloud PrivateZone

    Alibaba Cloud DNS PrivateZone is a Virtual Private Cloud-based (VPC) domain name system (DNS) service for Alibaba Cloud users.

    Learn More
  • IoT Solution

    A cloud solution for smart technology providers to quickly build stable, cost-efficient, and reliable ubiquitous platforms

    Learn More
  • PrivateLink

    Connect your VPCs to services in other VPCs through secure, reliable, and private connections.

    Learn More