This topic describes the general and custom permission policies that are supported by Elasticsearch. This topic also provides examples to show you how to grant permissions.

General permission policies

Elasticsearch provides the following two types of general permission policies:
  • AliyunElasticsearchReadOnlyAccess: the read-only permission to access Elasticsearch. This permission can be granted to read-only users.
  • AliyunElasticsearchFullAccess: the permission to manage Elasticsearch. This permission can be granted to administrators.
Note If the preceding two policies do not meet your requirements, you can create your own policy. For more information about how to create a custom policy, see Create a custom policy.
  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Grants under Permissions.
  3. Click Grant Permission.
  4. Under Principal, enter a principal name and click the target principal.
    Note You can enter a name of the RAM user, user group, or role for a fuzzy search.
  5. In the Policy Name column, select the target policy.
    Note You can click X in the section on the right side of the page to delete the selected policy.
  6. Click OK.
  7. Click Finished.

Create a custom policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the page that appears, click Create Policy.
  4. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  5. Under Configuration Mode, select Script.
  6. Under Policy Document, select an existing system policy and edit the script.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "",
                "Resource": ""
            }
        ],
        "Version": "1"
    }
    Note You can enter keywords into the search box for a fuzzy search.
    Enter a permission script as required.
    • The permission to query VPCs
      [“vpc:DescribeVSwitch*”,“vpc:DescribeVpc*”] 
      Note You can use the AliyunVPCReadOnlyAccess permission as a reference.
    • The permission to purchase instances
      [“bss:PayOrder”] 
      Note You can use the AliyunBSSOrderAccess permission as a reference.
    • The permission to perform API operations
      Method URI Resource Action
      GET /instances instances/* ListInstance
      POST /instances instances/* CreateInstance
      GET /instances/$instanceId instances/$instanceId DescribeInstance
      DELETE instances/$instanceId instances/$instanceId DeleteInstance
      POST /instances/$instanceId/actions/restart instances/$instanceId RestartInstance
      PUT instances/$instanceId instances/$instanceId UpdateInstance
  7. Click OK.

Example 1

In this example, a RAM user account whose accountId is 1234 is granted the permissions to perform all operations except the CreateInstance operation on all instances located in China (Hangzhou). Only specified IP addresses are allowed to access the Elasticsearch console.

The following script shows the content of the custom policy.

{
  "Statement": [
    {
      "Action": [
        "elasticsearch:ListInstance",
        "elasticsearch:DescribeInstance",
        "elasticsearch:DeleteInstance",
        "elasticsearch:RestartInstance",
        "elasticsearch:UpdateInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/*"
    }
  ],
  "Version": "1"
}

Grant the permissions specified in this policy to your RAM user account. For more information, see Grant permissions to a RAM role.

Notice After you create a policy in the RAM console with the Alibaba Cloud account, you must use the RAM console or the RAM SDK to grant the required permissions to the RAM user account.

Example 2

In this example, a RAM user account whose accountId is 1234 is granted the permissions to perform all operations except the CreateInstance operation on specified instances located in China (Hangzhou). Only specified IP addresses are allowed to access the Elasticsearch console.

The following script shows the content of the custom policy.

{
  "Statement": [
    {
      "Action": [
        "elasticsearch:ListInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/*"
    },
    {
      "Action": [
        "elasticsearch:DescribeInstance",
        "elasticsearch:DeleteInstance",
        "elasticsearch:RestartInstance",
        "elasticsearch:UpdateInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/$instanceId"
    }
  ],
  "Version": "1"
}

Grant the permissions specified in this policy to your RAM user account. For more information, see Grant permissions to a RAM role.

Notice After you create a policy in the RAM console with the Alibaba Cloud account, you must use the RAM console or the RAM SDK to grant the required permissions to the RAM user account.

Example 3

In this example, a RAM user account whose accountId is 1234 is granted the permissions to perform all operations on Elasticsearch instances located in all regions.

The following script shows the content of the custom policy.

{
  "Statement": [
    {
      "Action": [
          "elasticsearch:*"
            ],
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:*:1234:instances/*"
    }
  ],
  "Version": "1"
}

Grant the permissions specified in this policy to your RAM user account. For more information, see Grant permissions to a RAM role.

Notice After you create a policy in the RAM console with the Alibaba Cloud account, you must use the RAM console or the RAM SDK to grant the required permissions to the RAM user account.

Example 4

In this example, a RAM user account whose accountId is 1234 is granted the permissions to perform all operations except the CreateInstance and ListInstance operations on Elasticsearch instances located in all regions.

The following script shows the content of the custom policy.

{
  "Statement": [
    {
      "Action": [
          "elasticsearch:DescribeInstance",
          "elasticsearch:DeleteInstance",
          "elasticsearch:UpdateInstance",
          "elasticsearch:RestartInstance"
            ],
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:*:1234:instances/$instanceId"
    }
  ],
  "Version": "1"
}

Grant the permissions specified in this policy to your RAM user account. For more information, see Grant permissions to a RAM role.

Notice After you create a policy in the RAM console with the Alibaba Cloud account, you must use the RAM console or the RAM SDK to grant the required permissions to the RAM user account.

FAQ

Q: Why am I unable to find a VPC on the Elasticsearch purchase page by using a RAM user account?

A: If you cannot find a VPC on the Elasticsearch purchase page by using a RAM user account, check whether the RAM user account has been granted the permission to access VPC. For more information, see View the basic information of a RAM user. If the RAM user account has not been granted the permission to access VPC, grant the required permission to the RAM user account. For more information, see Create a custom policy.