All Products
Search

This Product

    OpenSearch:Service-linked role for OpenSearch

    Document Center

    OpenSearch:Service-linked role for OpenSearch

    Last Updated:Apr 19, 2023

    AliyunServiceRoleForOpenSearch is the service-linked role for OpenSearch. This topic describes the scenarios of the AliyunServiceRoleForOpenSearch role and shows you how to delete this service-linked role.

    Background information

    To use an OpenSearch feature, you may need to access other cloud services. To this end, Alibaba Cloud provides the AliyunServiceRoleForOpenSearch role that allows OpenSearch to access other cloud services. For more information, see Service-linked roles.

    Scenarios

    To configure data sources in OpenSearch, you must be granted permissions to access the resources of ApsaraDB RDS, PolarDB, or PolarDB-X data sources. In this case, the AliyunServiceRoleForOpenSearch role can be used to obtain permissions to access the data sources.

    Description

    Role name: AliyunServiceRoleForOpenSearch. Role policy: AliyunServiceRolePolicyForOpenSearch. Sample policy:

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDBInstances",
                "rds:DescribeDatabases",
                "rds:DescribeDBInstanceIPArrayList",
                "rds:DescribeAccounts",
                "rds:DescribeAbnormalDBInstances",
                "rds:ModifySecurityIps",
                "rds:DescribeResourceUsage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstance",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:DescribeRdsList",
                "drds:DescribeDrdsDB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:ConfigureSubscriptionInstance",
                "dts:CreateConsumerGroup",
                "dts:StartSubscriptionInstance",
                "dts:DescribeSubscriptionInstanceStatus",
                "dts:DescribeConsumerGroup",
                "dts:DeleteConsumerGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "opensearch.aliyuncs.com"
                }
            }
        }
    ]
}

    Delete the service-linked role

    If you need to delete the AliyunServiceRoleForOpenSearch role, you must release the application that is associated with this service-linked role. For more information about how to delete a service-linked role, see the Delete a service-linked role section of the "Service-linked roles" topic.