This topic describes how to create a custom policy in Elasticsearch. Custom policies enable finer-grained access control than system policies.

Prerequisites

You have understood the policy structure and syntax. For more information, see Policy structure and syntax.

Background information

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the page that appears, click Create Policy.
  4. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  5. Under Configuration Mode, select Script.
  6. In the Policy Document section, select an existing system policy and edit the script.
    Policy Document section
    Note You can enter keywords into the search box to perform fuzzy search.

    Enter a permission script as required.

    • Permission to access the Virtual Private Cloud (VPC) to which the Elasticsearch cluster belongs 
      "vpc:DescribeVSwitch*","vpc:DescribeVpc*"
      Note For more information, see the template for the AliyunVPCReadOnlyAccess policy.
    • Permission to purchase clusters 
      ["bss:PayOrder"]
      Note For more information, see the template for the AliyunBSSOrderAccess policy.
    • Permission to call API operations
      Method URI Resource Operation
      GET /instances instances/* ListInstance
      POST /instances instances/* CreateInstance
      GET /instances/$instanceId instances/$instanceId DescribeInstance
      DELETE /instances/$instanceId instances/$instanceId DeleteInstance
      POST /instances/$instanceId/actions/restart instances/$instanceId RestartInstance
      PUT /instances/$instanceId instances/$instanceId UpdateInstance
      Examples:
      Notice If tags are bound to your Elasticsearch cluster, you must grant operation permissions on the tags to RAM users. For more information, see Grant permissions on tags to a RAM user.
      • In the following example, a RAM user of the Alibaba Cloud account whose account ID is 1234 is granted the operation permissions (except the cluster creation permission) on all Elasticsearch clusters in the China (Hangzhou) region. In addition, the policy allows only specified IP addresses to access the clusters. 
        {
  "Statement": [
    {
      "Action": [
        "elasticsearch:ListInstance",
        "elasticsearch:DescribeInstance",
        "elasticsearch:DeleteInstance",
        "elasticsearch:RestartInstance",
        "elasticsearch:UpdateInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/*"
    }
  ],
  "Version": "1"
}
      • In the following example, a RAM user of the Alibaba Cloud account whose account ID is 1234 is granted the operation permissions (except the cluster creation permission) on specified Elasticsearch clusters in the China (Hangzhou) region. In addition, the policy allows only specified IP addresses to access the clusters. 
        {
  "Statement": [
    {
      "Action": [
        "elasticsearch:ListInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/*"
    },
    {
      "Action": [
        "elasticsearch:DescribeInstance",
        "elasticsearch:DeleteInstance",
        "elasticsearch:RestartInstance",
        "elasticsearch:UpdateInstance"
      ],
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "xxx.xx.xxx.x/xx"
        }
      },
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:cn-hangzhou:1234:instances/$instanceId"
    }
  ],
  "Version": "1"
}
      • In the following example, a RAM user of the Alibaba Cloud account whose account ID is 1234 is granted all the operation permissions on Elasticsearch clusters in all regions. 
        {
  "Statement": [
    {
      "Action": [
          "elasticsearch:*"
            ],
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:*:1234:instances/*"
    }
  ],
  "Version": "1"
}
      • In the following example, a RAM user of the Alibaba Cloud account whose account ID is 1234 is granted the operation permissions (except the cluster creation and query permissions) on Elasticsearch clusters in all regions. 
        {
  "Statement": [
    {
      "Action": [
          "elasticsearch:DescribeInstance",
          "elasticsearch:DeleteInstance",
          "elasticsearch:UpdateInstance",
          "elasticsearch:RestartInstance"
            ],
      "Effect": "Allow",
      "Resource": "acs:elasticsearch:*:1234:instances/$instanceId"
    }
  ],
  "Version": "1"
}
  7. Click OK.

What to do next

You can attach the created custom policy to a RAM user for authorization. For more information, see Grant permissions to a RAM user.