Custom policies can be used to manage user permissions in a fine-grained manner. You can use custom policies to control the access permissions of RAM users, RAM roles, or other Alibaba Cloud services or to authenticate team or department members. When you create a custom policy, you must configure the Action and Resource elements. This topic describes the objects that you can specify in the Action and Resource elements.

Background information

You can use your Alibaba Cloud account or RAM users within your Alibaba Cloud account to manage your Elasticsearch resources in the Elasticsearch console or by calling Elasticsearch API operations. Authorization is required in the following scenarios:
  • A new RAM user within your Alibaba Cloud account does not have permissions to perform operations on the resources of the Alibaba Cloud account.
  • You want to access Elasticsearch resources from other Alibaba Cloud services, or Elasticsearch needs to access the resources of other Alibaba Cloud services.
  • You want to perform operations on Elasticsearch resources that require resource and API operation permissions to be granted by the resource owners.

Custom policies

You can create a custom policy in the RAM console or by calling the RAM API operation CreatePolicy.

If you use the Script configuration mode to create a custom policy in the RAM console, you must specify the policy document based on the JSON template that is provided in the console. The objects that you can specify in the Action and Resource elements are provided in the Objects supported for authorization section. For more information, see Create a custom policy and Policy elements.
{
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
                "elasticsearch:[Elasticsearch RAM Action]",
                "elasticsearch:ListInstance"
            ],
    "Resource": [
                "[Elasticsearch RAM Action Resource]",
                "acs:elasticsearch:cn-hangzhou:133071096032****:instances/es-cn-2r42b7uyg003k****"
            ]
  }
  ],
  "Version": "1"
}

Objects supported for authorization

Elasticsearch

  • Manage clusters
    Action Resource Action description
    elasticsearch:CreateInstance acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/* Creates a cluster.
    elasticsearch:ListInstance Queries the details of all clusters.
    elasticsearch:DescribeInstance acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the details of a cluster.
    elasticsearch:EstimatedRestartTime Queries the estimated time that is required to restart a cluster.
    elasticsearch:RestartInstance Restarts a cluster.
    elasticsearch:UpdateInstanceChargeType Switches the billing method of a cluster from pay-as-you-go to subscription.
    elasticsearch:UpdateDescription Changes the name of a cluster.
    elasticsearch:DeleteInstance Releases a pay-as-you-go cluster.
    elasticsearch:CancelDeletion Restores the released cluster that is frozen.
    elasticsearch:RenewInstance Renews a subscription cluster.
    elasticsearch:ActivateZones Restores disabled zones.
    elasticsearch:DeactivateZones Disables one or more zones if a cluster is deployed in multiple zones, and migrates the nodes in the disabled zones to other zones.
    elasticsearch:InterruptElasticsearchTask Pauses a task for a cluster.
    elasticsearch:ResumeElasticsearchTask Resumes a task for a cluster.
    elasticsearch:DescribeElasticsearchHealth Queries the health status of a cluster.
    elasticsearch:ListInstanceIndices Queries the indexes of a cluster.
    elasticsearch:MigrateToOtherZone Migrates nodes across zones.
    elasticsearch:MoveResourceGroup Migrates a cluster to a specified resource group.
    elasticsearch:ModifyInstanceMaintainTime Enables or modifies the maintenance window of a cluster.
    elasticsearch:ListShardRecoveries Queries the progress of ongoing and completed data restoration tasks on shards.
  • Manage tags
    Action Resource Action description
    elasticsearch:ListTags acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/<yourInstanceId> Queries all visible user tags.
    elasticsearch:CreateTags Creates or updates tags.
    elasticsearch:RemoveTags Removes tags.
    elasticsearch:ListTagResources
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/*
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/<yourInstanceId>
    Queries the relationships between visible tags and resources.
  • Migrate data
    Action Resource Action description
    elasticsearch:ListDataTasks acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the information of data migration tasks.
    elasticsearch:CancelTask Cancels a data migration task.
    elasticsearch:CreateDataTasks Creates a data migration task to migrate data to a specified cluster.
    elasticsearch:DeleteDataTask Deletes a data migration task.
    elasticsearch:GetClusterDataInformation
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/*
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>
    Queries the data information of a cluster.
  • Upgrade or downgrade cluster configurations
    Action Resource Action description
    elasticsearch:UpgradeEngineVersion acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Upgrades the version or kernel version of a cluster.
    elasticsearch:UpdateInstance Modifies the configuration of a cluster.
    elasticsearch:DowngradeInstance
    • Checks whether the data on some nodes in a cluster can be migrated before a cluster scale-in.
    • Migrates data before a cluster scale-in.
    • Checks whether some nodes in a cluster can be removed.
    • Scales in a cluster.
  • Configure clusters
    Action Resource Action description
    elasticsearch:UpdateInstanceSettings acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Modifies the YML configuration file of a cluster.
    elasticsearch:UpdateHotIkDicts Performs a rolling update on the analysis-ik plug-in, including the IK main dictionary and stopword list of the plug-in.
    elasticsearch:UpdateSynonymsDicts Updates the synonym dictionary of a cluster.
    elasticsearch:UpdateDict Performs a standard update on the analysis-ik plug-in, including the IK main dictionary and stopword list of the plug-in.
    elasticsearch:UpdateAliwsDict Updates the dictionary file of the analysis-aliws plug-in.
    elasticsearch:ListDictInformation Queries and checks the information of the dictionary file that is stored in Object Storage Service (OSS) when the file is uploaded to a cluster.
    elasticsearch:UpdateAdvancedSetting Modifies the garbage collector configuration of a cluster.
    elasticsearch:DescribeTemplates Queries the scenario-based configuration templates of a cluster.
    elasticsearch:ListDicts Queries the details of a specified type of dictionary and the link that is generated based on the related signature to download the dictionary.
  • Manage plug-ins
    Action Resource Action description
    elasticsearch:ListPlugins acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the plug-ins that are installed for a cluster.
    elasticsearch:InstallSystemPlugin Installs a built-in plug-in.
    elasticsearch:UninstallPlugin Removes a built-in plug-in.
    elasticsearch:InstallUserPlugins Installs a custom plug-in that is uploaded to the Elasticsearch console.
  • Query logs
    Action Resource Action description
    elasticsearch:ListSearchLogs acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the logs of a cluster.
  • Configure security settings
    Action Resource Action description
    elasticsearch:TriggerNetwork acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Enables or disables the Public Network Access or Private Network Access feature for Elasticsearch or Kibana.
    elasticsearch:UpdatePrivateNetworkWhiteIps Modifies the private IP address whitelist of a cluster.
    elasticsearch:UpdatePublicWhiteIps Modifies the public IP address whitelist of a cluster.
    elasticsearch:UpdatePublicNetwork Enables or disables the Public Network Access feature for a cluster.
    elasticsearch:UpdateWhiteIps Modifies the private IP address whitelist of a cluster.
    elasticsearch:ModifyWhiteIps Modifies the whitelists of a cluster.
    elasticsearch:UpdateAdminPassword Changes the password that corresponds to the elastic username of a cluster.
    elasticsearch:OpenHttps Enables HTTPS.
    elasticsearch:CloseHttps Disables HTTPS.
    elasticsearch:AddConnectableCluster Connects clusters.
    elasticsearch:DeleteConnectedCluster Disconnects clusters.
    elasticsearch:DescribeConnectableClusters Queries the clusters that can be connected to a specified cluster. The clusters that are connected to the specified cluster are excluded.
    elasticsearch:ListConnectedClusters Queries the clusters that are connected to a specified cluster.
    elasticsearch:DeleteVpcEndpoint Deletes an endpoint in the service virtual private cloud (VPC).
    elasticsearch:ListVpcEndpoints Queries the status of an endpoint in the service VPC.
  • Back up data
    Action Resource Action description
    elasticsearch:CreateSnapshot acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Creates a snapshot for a cluster.
    elasticsearch:AddSnapshotRepo acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/* Adds a shared OSS repository to a cluster.
    elasticsearch:DeleteSnapshotRepo Deletes a shared OSS repository.
    elasticsearch:ListSnapshotReposByInstanceId Queries the shared OSS repositories that are added to a cluster.
    elasticsearch:ListAlternativeSnapshotRepos acs:elasticsearch:<yourRegionId>:<yourAccountId>:snapshotrepository/* Queries the shared OSS repositories that can be added to a cluster.
    elasticsearch:DescribeSnapshotSetting acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the data backup configurations of a cluster.
    elasticsearch:UpdateSnapshotSetting Modifies the data backup configurations of a cluster.
  • Perform intelligent O&M
    Action Resource Action description
    elasticsearch:OpenDiagnosis
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/*
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>
    Enables intelligent health diagnostics.
    elasticsearch:CloseDiagnosis Disables intelligent health diagnostics.
    elasticsearch:UpdateDiagnosisSettings Modifies health diagnostic settings.
    elasticsearch:DiagnoseInstance Starts intelligent health diagnostics.
    elasticsearch:ListDiagnoseReport Queries the details of diagnostic reports.
    elasticsearch:ListDiagnoseReportIds Queries the IDs of diagnostic reports.
    elasticsearch:ListDiagnoseIndices Queries cluster indexes.
    elasticsearch:DescribeDiagnoseReport Queries the details of a diagnostic report.
    elasticsearch:DescribeDiagnosisSettings Queries health diagnostic settings.

Kibana

Action Resource Action description
elasticsearch:DescribeKibanaSettings acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId> Queries the configuration of Kibana.
elasticsearch:UpdateKibanaSettings Modifies the configuration of Kibana.
elasticsearch:ListKibanaPlugins Queries the plug-ins that are installed for Kibana.
elasticsearch:InstallKibanaSystemPlugin Installs a plug-in for Kibana.
elasticsearch:UninstallKibanaPlugin Removes a plug-in for Kibana.
elasticsearch:UpdateKibanaWhiteIps Modifies the IP address whitelists that allow access to the Kibana console of a cluster.

Logstash

  • Manage clusters
    Action Resource Action description
    elasticsearch:CreateLogstash
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/*
    • acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>
    Creates a cluster.
    elasticsearch:ListLogstash Queries the details of a specified cluster or all clusters.
    elasticsearch:DescribeLogstash acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Queries the details of a cluster.
    elasticsearch:UpdateLogstash Modifies some information of a cluster, such as the number of nodes, quota, name, and hard disk size.
    elasticsearch:RenewLogstash Renews a cluster.
    elasticsearch:RestartLogstash Restarts a cluster.
    elasticsearch:EstimatedLogstashRestartTime Queries the estimated time that is required to restart a cluster.
    elasticsearch:UpdateLogstashDescription Changes the name of a cluster.
    elasticsearch:UpdateLogstashChargeType Switches the billing method of a cluster from pay-as-you-go to subscription.
    elasticsearch:DeleteLogstash Releases a pay-as-you-go cluster.
    elasticsearch:CancelLogstashDeletion Restores a released cluster that is frozen.
  • Configure clusters
    Action Resource Action description
    elasticsearch:UpdateLogstashSettings acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Modifies the configuration of a cluster.
    elasticsearch:ListExtendfiles Queries the third-party libraries that are configured for a cluster.
    elasticsearch:UpdateExtendfiles Updates the third-party libraries that are configured for a cluster.
  • Manage plug-ins
    Action Resource Action description
    elasticsearch:ListPlugin acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Queries plug-ins.
    elasticsearch:InstallSystemPlugin Installs a built-in plug-in.
    elasticsearch:UninstallSystemPlugin Removes a built-in plug-in.
  • Monitor clusters and query logs
    Action Resource Action description
    elasticsearch:ListAvailableEsInstanceIds acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Queries the Elasticsearch clusters that have X-Pack monitoring capabilities and can be associated with a Logstash cluster.
    elasticsearch:ValidateConnection Checks the connectivity between a Logstash cluster and the associated Elasticsearch clusters.
    elasticsearch:UpdateXpackMonitorConfig Modifies the X-Pack monitoring configuration of a cluster.
    elasticsearch:DescribeXpackMonitorConfig Queries the X-Pack monitoring configuration of a cluster.
    elasticsearch:ListLogstashLog Queries the logs of a cluster.
  • Manage tasks
    Action Resource Action description
    elasticsearch:InterruptLogstashTask acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Pauses a task of a cluster.
    elasticsearch:ResumeLogstashTask Resumes a task of a cluster.
  • Manage pipelines
    Action Resource Action description
    elasticsearch:CreatePipelines acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId> Creates a pipeline.
    elasticsearch:ListPipeline Queries pipelines.
    elasticsearch:DescribePipeline Queries the configuration of a pipeline.
    elasticsearch:UpdatePipelines Modifies the configuration of a pipeline.
    elasticsearch:RunPipelines Immediately deploys a pipeline.
    elasticsearch:StopPipelines Stops a pipeline.
    elasticsearch:UpdatePipelineManagementConfig Updates the pipeline management method.
    elasticsearch:DescribePipelineManagementConfig Queries pipeline management configurations.
    elasticsearch:ListPipelineIds Checks the connectivity between a Logstash cluster and the Kibana console of an Elasticsearch cluster and queries the IDs of pipelines that are created in the Kibana console of the Elasticsearch cluster.
    elasticsearch:DeletePipelines Deletes a pipeline.

Beats

Action Resource Action description
elasticsearch:CreateCollector acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/<yourCollectorId> Creates a shipper.
elasticsearch:DescribeCollector Queries the details of a shipper.
elasticsearch:ReinstallCollector Reinstalls a shipper that fails to be installed when it is created.
elasticsearch:ListCollectors acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/* Queries shippers.
elasticsearch:ListDefaultCollectorConfigurations Queries the default configuration file of a shipper.
elasticsearch:UpdateCollectorName acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/<yourCollectorId> Changes the name of a shipper.
elasticsearch:UpdateCollector Modifies the information of a shipper.
elasticsearch:StartCollector Starts a shipper.
elasticsearch:RestartCollector Restarts a shipper.
elasticsearch:StopCollector Stops a shipper.
elasticsearch:DeleteCollector Deletes a shipper.
elasticsearch:ListEcsInstances Queries Elastic Compute Service (ECS) instances.
elasticsearch:ModifyDeployMachine Changes the ECS instances on which a shipper is installed.
elasticsearch:ListNodes Queries the status of ECS instances on which a shipper is installed.
elasticsearch:ListAckClusters acs:elasticsearch:<yourRegionId>:<yourAccountId>:ackClusters/* Queries Container Service for Kubernetes (ACK) clusters.
elasticsearch:ListAckNamespaces acs:elasticsearch:<yourRegionId>:<yourAccountId>:ackClusters/<yourClusterId> Queries all namespaces of an ACK cluster.
elasticsearch:DescribeAckOperator Queries the information of ES-operator that is installed for an ACK cluster.
elasticsearch:InstallAckOperator Installs ES-operator for an ACK cluster.

Access control

Action Resource Action description
elasticsearch:InitializeOperationRole acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/* Creates a service-linked role.

CloudMonitor

Action Resource Action description
cms:ListProductOfActiveAlert acs:elasticsearch:<yourRegionId>:<yourAccountId>:* Queries the services for which CloudMonitor is activated.
cms:ListAlarm Queries the settings of a specified alert rule or all alert rules.
cms:QueryMetricList Queries the monitoring data of a cluster over a specific period of time.

VPCs and vSwitches displayed on the Elasticsearch buy page

Action Resource Action description
elasticsearch:DescribeVpcs acs:elasticsearch:<yourRegionId>:<yourAccountId>:vpc/* Queries VPCs.
elasticsearch:DescribeVswitches acs:elasticsearch:<yourRegionId>:<yourAccountId>:vswitch/* Queries vSwitches.

Parameters

This section describes the parameters that are contained in the Resource element in the preceding section.
  • <yourRegionId>: Set this parameter to the region ID of your Elasticsearch or Logstash cluster. You can also set this parameter to an asterisk (*) to indicate all regions. The following table lists the IDs of all regions where Elasticsearch and Logstash are available.
    Region Region ID
    China China (Shanghai) cn-shanghai
    China (Shenzhen) cn-shenzhen
    China (Qingdao) cn-qingdao
    China (Zhangjiakou) cn-zhangjiakou
    China (Beijing) cn-beijing
    China (Hangzhou) cn-hangzhou
    China (Hong Kong) cn-hongkong
    Asia Pacific Singapore (Singapore) ap-southeast-1
    Malaysia (Kuala Lumpur) ap-southeast-3
    Japan (Tokyo) ap-northeast-1
    Australia (Sydney) ap-southeast-2
    Indonesia (Jakarta) ap-southeast-5
    Europe & Americas US (Virginia) us-east-1
    US (Silicon Valley) us-west-1
    Germany (Frankfurt) eu-central-1
    UK (London) eu-west-1
    Middle East & India India (Mumbai) ap-south-1
  • <yourAccountId>: Set this parameter to the ID of your Alibaba Cloud account. You can also set this parameter to an asterisk (*) to indicate all accounts.
  • <yourInstanceId>: Set this parameter to the ID of your Elasticsearch or Logstash cluster. You can also set this parameter to an asterisk (*) to indicate all clusters.
  • <yourCollectorId>: Set this parameter to the ID of your Beats shipper.
  • <yourClusterId>: Set this parameter to the ID of the ACK cluster for which your Beats shipper is installed.