This topic describes how to use a resource group to grant permissions on a specific cluster to a Resource Access Management (RAM) user in the RAM console.

Background information

By default, Alibaba Cloud Elasticsearch clusters are created in the default resource group. After you attach a custom policy for a specific cluster to a RAM user and use the RAM user to log on to the Elasticsearch console, all the clusters of your Alibaba Cloud account rather than the specific cluster are displayed in the console. If you want the system to display only the specific cluster in the console, you can use a resource group to grant the permissions on the cluster to the RAM user.

Step 1: Attach a custom policy whose effective scope is the entire Alibaba Cloud account to a RAM user of the account

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a custom policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. Enter a name in the Policy Name field.
    4. Set Configuration Mode to Script.
      Create a custom policy
    5. Set Policy Document. The following code provides an example. You must replace the Alibaba Cloud account ID and Elasticsearch cluster ID in the example with the ID of your Alibaba Cloud account and the ID of the desired Elasticsearch cluster.
      {
          "Statement": [
              {
                  "Action": [
                      "elasticsearch:*"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:133071096032****:instances/es-cn-tl325goel000j****"
              }, 
              {
                  "Action": [
                      "elasticsearch:ListCollectors"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:133071096032****:collectors/*"
              }, 
              {
                  "Action": [
                      "elasticsearch:ListInstance", 
                      "elasticsearch:ListSnapshotReposByInstanceId"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:<UID>:instances/*"
              }, 
              {
                  "Effect": "Allow", 
                  "Action": [
                      "cms:ListAlarm", 
                      "cms:DescribeActiveMetricRuleList", 
                      "cms:QueryMetricList"
                  ], 
                  "Resource": "*"
              }, 
              {
                  "Action": [
                      "elasticsearch:ListTags"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:*:tags/*"
              }, 
              {
                  "Action": [
                      "elasticsearch:GetEmonProjectList"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:*:emonProjects/*"
              }, 
              {
                  "Action": [
                      "elasticsearch:getEmonUserConfig"
                  ], 
                  "Effect": "Allow", 
                  "Resource": "acs:elasticsearch:*:*:emonUserConfig/*"
              }
          ], 
          "Version": "1"
      }

      External interfaces that are used to call some services, such as Beats, Advanced Monitoring and Alerting, and Tag, are integrated into the cluster management page of the Elasticsearch console. Therefore, if you want to manage only the clusters in a specific resource group in the console, you must configure a custom policy whose effective scope is the entire Alibaba Cloud account and attach the policy to the RAM user. This way, the RAM user can pass permission verification on the cluster management page.

      Note After the policy for a specific Elasticsearch or Logstash cluster is created and attached to a RAM user, the RAM user can use one of the following URLs to directly access the Elasticsearch or Logstash cluster:
      • https://elasticsearch.console.aliyun.com/{regionId}/instances/{instanceId}/base
      • https://elasticsearch.console.aliyun.com/{regionId}/logstashes/{instanceId}/base
    6. Click OK.
  3. Create a RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. Click Create User.
    3. On the Create User page, set the Logon Name and Display Name parameters.
      Create a RAM user
    4. Click OK. The newly created RAM user appears on the Users page.
      Newly created RAM user
  4. Attach the newly created custom policy whose effective scope is the entire Alibaba Cloud account to the RAM user.
    1. Find the RAM user on the Users page.
    2. Click Add Permissions in the Actions column that corresponds to the RAM user.
    3. In the Add Permissions panel, click Custom Policy in the Select Policy section and click the name of the newly created custom policy in the Authorization Policy Name column.2
      Attach the custom policy to the RAM user
    4. Click OK.
    5. Click Complete.
      View the authorization result

Step 2: Create a resource group and attach a policy to the resource group

  1. Log on to the Resource Management console.
  2. Create a resource group.
    1. In the left-side navigation pane, click Resource Group.
    2. On the Resource Group page, click Create Resource Group.
      Create a resource group
    3. In the Create Resource Group panel, set the Resource Group Name and Display Name parameters.
    4. Click OK.
  3. Move the desired cluster from the default resource group to the newly created resource group.
    1. On the Resource Group page, click Default Resource Group in the Display Name column.
    2. On the Default Resource Group page, click the Resources tab.
    3. Select the desired cluster and click Transfer Out in the lower part of the page.
    4. In the Transfer Out panel, select the newly created resource group.
    5. Click OK.
  4. Attach a policy to the newly created resource group.
    1. In the left-side navigation pane, click Resource Group.
    2. Find the newly created resource group and click Manage Permission in the Actions column.
    3. On the page that appears, click Grant Permission.
    4. In the Grant Permission panel, set the parameters.
      Grant Permission panel
    5. Click OK.
    6. Click Complete.
  5. View the authorization information of the RAM user.
    1. Click the Permissions tab.
    2. Click the name of the RAM user in the Principal column.
      Principal
    3. On the page that appears, click the Permissions tab and view the authorization information of the RAM user.
      Basic user information

Step 3: Log on to the Elasticsearch console by using the RAM user

  1. Log on to the Elasticsearch console by using the RAM user.
  2. In the top navigation bar, select the region where the desired cluster resides.
  3. In the left-side navigation pane, click Elasticsearch Clusters.
  4. In the top navigation bar, select the newly created resource group and view the information of the cluster.