All Products
Search

This Product

    OpenSearch:Create a RAM user and grant permissions to the RAM user

    Document Center

    OpenSearch:Create a RAM user and grant permissions to the RAM user

    Last Updated:Aug 23, 2024

    If you want to call API operations or use SDKs of OpenSearch LLM-Based Conversational Search Edition as a Resource Access Management (RAM) user based on AccessKey pair authentication or log on to the OpenSearch LLM-Based Conversational Search Edition console as a RAM user, you must grant required permissions to the RAM users. If multiple users in your enterprise need to use OpenSearch LLM-Based Conversational Search Edition, you can create multiple RAM users and grant only the required permissions to each RAM user. This prevents the users from sharing the username and password or AccessKey pair of an Alibaba Cloud account. This way, the management efficiency is improved and information leakage risks are reduced. This topic describes how to create a RAM user and grant the RAM user the permissions to perform operations on OpenSearch LLM-Based Conversational Search Edition, such as viewing instances and instance details.

    Prerequisites

    At least one RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.

    Procedure

    1. Log on to the RAM console by using the administrator account.

      RAM supports the following two types of policy:

      • System policy: System policies are created and updated by Alibaba Cloud. You can use system policies but cannot modify them.

      • Custom policy: You can create, modify, delete, and upgrade custom policies to meet your business requirements.

    2. (Optional) Create a custom policy.

      If the system policies provided by Alibaba Cloud cannot meet your requirements, you can create custom policies to implement the principle of least privilege based on the authorization rules of applications. For more information, see Create custom policies.

      Examples of common minimum permission set

      If you want to log on to the OpenSearch console as a RAM user, you must grant the RAM user the required permissions. A common minimum permission set contains the permissions that are required to view applications and application details. The following section provides examples on how to configure common minimum permission sets in custom policies.

      Example 1: Permissions to view instances

      If you want to view instances after you log on to the OpenSearch console as a RAM user, the RAM user must have the permissions to view instances. The following sample code shows the policy that grants the permissions required to view instances: 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "opensearch:ListAppGroup",
      "Resource": "acs:opensearch:*:*:app-groups/*"
    }
  ]
}

      Example 2: Permissions to view instance details

      If you want to view the details of an instance after you log on to the OpenSearch console as a RAM user, the RAM user must have the permissions to view instance details. The following sample code shows the policy that grants the permissions required to view details of the instance named app_schema_demo:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "opensearch:ListAppGroup",
      "Resource": "acs:opensearch:*:*:app-groups/*"
    },
    {
      "Effect": "Allow",
      "Action": ["opensearch:DescribeAppGroup",
                  "opensearch:ListApp"],
      "Resource": "acs:opensearch:*:*:app-groups/app_schema_demo"
    }
  ]
}

    3. Grant permissions to the RAM user.

      Attach system policies or custom policies that you created to the RAM user to grant the RAM user the permissions to access or perform operations on resources. For more information, see Grant permissions to a RAM user. After you configure or update permissions for a RAM user, the permissions take effect after 5 minutes.

    4. After the permissions are granted to the RAM user, you can log on to the OpenSearch console as the RAM user.

      For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

    References

    • You can view the permissions that are granted to a RAM user and the permissions that the RAM user inherits from RAM user groups. For more information, see View the permissions of a RAM user.

    • If a RAM user no longer requires specific permissions or the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.

    • You can view the multi-factor authentication (MFA) methods that are supported by RAM users, as well as the usage notes and limits of MFA. For more information, see What is multi-factor authentication?