When you access Kibana or an Elasticsearch cluster over a virtual private cloud (VPC) by using a PrivateLink endpoint, create and manage Beats shippers, create manual snapshots, or restore data from manual snapshots in Elasticsearch, Elasticsearch needs to assume the related service-linked role to access the resources of other Alibaba Cloud services. If the service-linked role does not exist, Elasticsearch automatically creates the role when you perform the preceding operations. This topic describes Elasticsearch service-linked roles and describes how to delete a service-linked role.
Scenarios
This section describes the use scenarios of Elasticsearch service-linked roles.
AliyunServiceRoleForElasticsearch: The role is required when you access Kibana or a node for an Elasticsearch cluster deployed in the cloud-native control architecture over your VPC.
AliyunServiceRoleForElasticsearchCollector: The role is required when you create and manage Beats shippers.
AliyunServiceRoleForElasticsearchOSS: The role is required when you create manual snapshots or restore data from manual snapshots. This role enables Elasticsearch to access Object Storage Service (OSS) buckets.
For more information about service-linked roles, see Service-linked roles.
Description
AliyunServiceRoleForElasticsearch
If a role that has the required permissions does not exist when you access Kibana or a node for an Elasticsearch cluster deployed in the cloud-native control architecture over your VPC, Elasticsearch automatically creates the service-linked role and grants the required permissions to the role. Then, Elasticsearch assumes the role and calls the network configuration-related API operation of PrivateLink or Elastic Compute Service (ECS) to create resources such as an endpoint and complete configurations. This way, you can access Kibana or the node over your VPC. The following descriptions provide detailed information about the role:
Role name: AliyunServiceRoleForElasticsearch
Policy name: AliyunServiceRolePolicyForElasticsearch
Policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
Service name: elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
If a role that has the required permissions does not exist when you create and manage a Beats shipper, Elasticsearch automatically creates the service-linked role and grants the required permissions to the role. Then, Elasticsearch assumes the role and calls the related API operation to enable the Beats shipper to collect data from an ECS instance or a Container Service for Kubernetes (ACK) cluster. The following descriptions provide detailed information about the role:
Role name: AliyunServiceRoleForElasticsearchCollector
Policy name: AliyunServiceRolePolicyForElasticsearchCollector
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
Service name: collector.elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOSS
If a role that has the required permissions does not exist when you create a manual snapshot or restore data from a manual snapshot, Elasticsearch automatically creates the service-linked role and grants the required permissions to the role. Then, Elasticsearch assumes the role and calls the related API operation to access your OSS bucket. The following descriptions provide detailed information about the role:
Role name: AliyunServiceRoleForElasticsearchOSS
Policy name: AliyunServiceRolePolicyForElasticsearchOSS
Policy document:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}
Service name: oss.elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
Delete a service-linked role
Before you delete a service-linked role, you must delete all tasks or devices that depend on the role. For more information about how to delete a service-linked role, see Delete a service-linked role.
FAQ
Q: Why am I unable to use my RAM user to create an Elasticsearch service-linked role?
A: Only Alibaba Cloud accounts and RAM users that have the CreateServiceLinkedRole
permission can be used to create or delete a service-linked role. Therefore, if your RAM user cannot be used to automatically create the service-linked role, you must attach the following policy to your RAM user. For more information, see Grant permissions to RAM users.
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}
You must replace the ID
133071096032****
specified in the Resource element with the ID of your Alibaba Cloud account.To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.
You must replace
XXX.aliyuncs.com
specified for ram:ServiceName with the service name of the service-linked role that you want to create.Service name of the service-linked role AliyunServiceRoleForElasticsearch: elasticsearch.aliyuncs.com
Service name of the service-linked role AliyunServiceRoleForElasticsearchCollector: collector.elasticsearch.aliyuncs.com
Service name of the service-linked role AliyunServiceRoleForElasticsearchOSS: oss.elasticsearch.aliyuncs.com