Elasticsearch objects supported for authorization - Elasticsearch

Custom policies can be used to manage user permissions in a fine-grained manner. You can use custom policies to control the access permissions of RAM users, RAM roles, or other Alibaba Cloud services or to authenticate team or department members. When you create a custom policy, you must configure the Action and Resource elements. This topic describes the objects that you can specify in the Action and Resource elements.

Background information

By default, you can use your Alibaba Cloud account or RAM users within your Alibaba Cloud account to manage your Elasticsearch resources in the Elasticsearch console or by calling Elasticsearch API operations. Authorization is required in the following scenarios:

A new RAM user within your Alibaba Cloud account does not have permissions to perform operations on the resources of the Alibaba Cloud account.
You want to access Elasticsearch resources from other Alibaba Cloud services, or Elasticsearch needs to access the resources of other Alibaba Cloud services.
You want to perform operations on Elasticsearch resources that require resource and API operation permissions to be granted by resource owners.

Custom policies

You can create a custom policy in the RAM console or by calling the RAM API operation CreatePolicy.

If you use the Script configuration mode to create a custom policy in the RAM console, you must specify the policy document based on the JSON template that is provided in the console. The objects that you can specify in the Action and Resource elements are provided in the Objects supported for authorization section. For more information, see Create a custom policy and Policy elements.

{
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
                "elasticsearch:[Elasticsearch RAM Action]",
                "elasticsearch:ListInstance"
            ],
    "Resource": [
                "[Elasticsearch RAM Action Resource]",
                "acs:elasticsearch:cn-hangzhou:133071096032****:instances/es-cn-2r42b7uyg003k****"
            ]
  }
  ],
  "Version": "1"
}

Objects supported for authorization

Elasticsearch

Manage clusters

Action	Resource	Action description
elasticsearch:CreateInstance	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/*	Creates a cluster.
elasticsearch:ListInstance		Queries the details of all clusters.
elasticsearch:DescribeInstance	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the details of a cluster.
elasticsearch:EstimatedRestartTime		Queries the estimated time that is required to restart a cluster.
elasticsearch:RestartInstance		Restarts a cluster.
elasticsearch:UpdateInstanceChargeType		Switches the billing method of a cluster from pay-as-you-go to subscription.
elasticsearch:UpdateDescription		Changes the name of a cluster.
elasticsearch:DeleteInstance		Releases a pay-as-you-go cluster.
elasticsearch:CancelDeletion		Restores a cluster that is frozen after it is released.
elasticsearch:RenewInstance		Renews a subscription cluster.
elasticsearch:ActivateZones		Restores nodes in disabled zones.
elasticsearch:DeactivateZones		Disables one or more zones where a multi-zone cluster resides and migrates the nodes in the disabled zones to other zones.
elasticsearch:InterruptElasticsearchTask		Suspends a change task of a cluster.
elasticsearch:ResumeElasticsearchTask		Resumes a change task of a cluster.
elasticsearch:DescribeElasticsearchHealth		Queries the health status of a cluster.
elasticsearch:ListInstanceIndices		Queries the indexes of a cluster.
elasticsearch:MigrateToOtherZone		Migrates nodes across zones.
elasticsearch:MoveResourceGroup		Migrates a cluster to a resource group.
elasticsearch:ModifyInstanceMaintainTime		Enables and modifies the maintenance window of a cluster.
elasticsearch:ListShardRecoveries		Queries the progress of ongoing and completed data restoration tasks on shards.

Manage tags

Action	Resource	Action description
elasticsearch:ListTags	acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/<yourInstanceId>	Queries all visible user tags.
elasticsearch:CreateTags		Creates or updates tags.
elasticsearch:RemoveTags		Removes tags.
elasticsearch:ListTagResources	acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/* acs:elasticsearch:<yourRegionId>:<yourAccountId>:tags/<yourInstanceId>	Queries the relationships between visible tags and resources.

Migrate data

Action	Resource	Action description
elasticsearch:ListDataTasks	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the information about data migration tasks.
elasticsearch:CancelTask		Cancels a data migration task.
elasticsearch:CreateDataTasks		Creates a data migration task to migrate data to a specified cluster.
elasticsearch:DeleteDataTask		Deletes a data migration task.
elasticsearch:GetClusterDataInformation	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/* acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the data information of a cluster.

Upgrade or downgrade cluster configurations

Action	Resource	Action description
elasticsearch:UpgradeEngineVersion	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Upgrades the version or kernel version of a cluster.
elasticsearch:UpdateInstance		Modifies the configuration of a cluster.
elasticsearch:DowngradeInstance		Checks whether the data on specific nodes in a cluster can be migrated before a cluster scale-in. Migrates data before a cluster scale-in. Checks whether specific nodes can be removed from a cluster. Scales in a cluster.

Configure clusters

Action	Resource	Action description
elasticsearch:UpdateInstanceSettings	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Updates the configuration in the YML file of a cluster.
elasticsearch:UpdateHotIkDicts		Performs a rolling update on the analysis-ik plug-in, including the IK main dictionary and stopword list of the plug-in.
elasticsearch:UpdateSynonymsDicts		Updates the synonym dictionary of a cluster.
elasticsearch:UpdateDict		Performs a standard update on the analysis-ik plug-in, including the IK main dictionary and stopword list of the plug-in.
elasticsearch:UpdateAliwsDict		Updates the dictionary file of the analysis-aliws plug-in.
elasticsearch:ListDictInformation		Queries and verifies the details of the dictionary object stored in Object Storage Service (OSS) when you upload the object to a cluster.
elasticsearch:UpdateAdvancedSetting		Updates the garbage collector (GC) configuration of a cluster.
elasticsearch:DescribeTemplates		Queries the scenario-based configuration templates of a cluster.
elasticsearch:ListDicts		Queries the details of a specified type of dictionary and the link that is generated based on the related signature to download the dictionary.

Manage plug-ins

Action	Resource	Action description
elasticsearch:ListPlugins	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the plug-ins that are installed for a cluster.
elasticsearch:InstallSystemPlugin		Installs a built-in plug-in.
elasticsearch:UninstallPlugin		Uninstalls a built-in plug-in.
elasticsearch:InstallUserPlugins		Installs a custom plug-in that is uploaded to the Elasticsearch console.

Query logs
Action
Resource
Action description
elasticsearch:ListSearchLogs
acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>
Queries the logs of a cluster.

Configure security settings

Action	Resource	Action description
elasticsearch:TriggerNetwork	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Enables or disables the Public Network Access or Private Network Access feature for Elasticsearch or Kibana.
elasticsearch:UpdatePrivateNetworkWhiteIps		Updates the private IP address whitelist of a cluster.
elasticsearch:UpdatePublicWhiteIps		Updates the public IP address whitelist of a cluster.
elasticsearch:UpdatePublicNetwork		Enables or disables the Public Network Access feature for a cluster.
elasticsearch:UpdateWhiteIps		Updates the private IP address whitelist of a cluster.
elasticsearch:ModifyWhiteIps		Updates the IP address whitelist of a cluster.
elasticsearch:UpdateAdminPassword		Updates the password for the elastic account of a cluster.
elasticsearch:OpenHttps		Enables HTTPS.
elasticsearch:CloseHttps		Disables HTTPS.
elasticsearch:AddConnectableCluster		Connects clusters.
elasticsearch:DeleteConnectedCluster		Disconnects clusters.
elasticsearch:DescribeConnectableClusters		Queries the clusters that can be connected to a specified cluster. The clusters that are connected to the specified cluster are excluded.
elasticsearch:ListConnectedClusters		Queries a list of clusters that are connected to a specified cluster.
elasticsearch:DeleteVpcEndpoint		Deletes an endpoint in the VPC within the service account.
elasticsearch:ListVpcEndpoints		Queries the status of an endpoint in the VPC within the service account.

Back up data

Action	Resource	Action description
elasticsearch:CreateSnapshot	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Creates a snapshot for a cluster.
elasticsearch:AddSnapshotRepo	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/*	Creates a shared OSS repository for a cluster.
elasticsearch:DeleteSnapshotRepo		Deletes a shared OSS repository for a cluster.
elasticsearch:ListSnapshotReposByInstanceId		Queries a list of shared OSS repositories configured for a cluster.
elasticsearch:ListAlternativeSnapshotRepos	acs:elasticsearch:<yourRegionId>:<yourAccountId>:snapshotrepository/*	Queries the shared OSS repositories that can be configured for a cluster.
elasticsearch:DescribeSnapshotSetting	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the data backup configuration of a cluster.
elasticsearch:UpdateSnapshotSetting		Updates the data backup configuration of a cluster.

Perform intelligent O&M

Action	Resource	Action description
elasticsearch:OpenDiagnosis	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/* acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Enables intelligent O&M.
elasticsearch:CloseDiagnosis		Disables intelligent O&M.
elasticsearch:UpdateDiagnosisSettings		Updates the scenario settings of intelligent O&M.
elasticsearch:DiagnoseInstance		Diagnoses a cluster.
elasticsearch:ListDiagnoseReport		Queries a historical intelligent O&M report.
elasticsearch:ListDiagnoseReportIds		Queries the IDs of historical intelligent O&M reports.
elasticsearch:ListDiagnoseIndices		Queries the indexes on which health diagnosis is performed.
elasticsearch:DescribeDiagnoseReport		Queries historical intelligent O&M reports.
elasticsearch:DescribeDiagnosisSettings		Queries the scenario settings of intelligent O&M.

Kibana

Action	Resource	Action description
elasticsearch:DescribeKibanaSettings	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/<yourInstanceId>	Queries the configuration of Kibana.
elasticsearch:UpdateKibanaSettings		Updates the configuration of Kibana.
elasticsearch:ListKibanaPlugins		Queries the plug-ins of Kibana.
elasticsearch:InstallKibanaSystemPlugin		Installs a plug-in for Kibana.
elasticsearch:UninstallKibanaPlugin		Uninstalls a plug-in for Kibana.
elasticsearch:UpdateKibanaWhiteIps		Modifies the IP address whitelist for access to Kibana.

Logstash

Manage clusters

Action	Resource	Action description
elasticsearch:CreateLogstash	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/* acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Creates a cluster.
elasticsearch:ListLogstash		Queries the details of a specified cluster or all clusters.
elasticsearch:DescribeLogstash	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Queries the details of a cluster.
elasticsearch:UpdateLogstash		Modifies some information about a cluster, such as the number of nodes, quota, name, and hard disk size.
elasticsearch:RenewLogstash		Renews a cluster.
elasticsearch:RestartLogstash		Restarts a cluster.
elasticsearch:EstimatedLogstashRestartTime		Queries the estimated time that is required to restart a cluster.
elasticsearch:UpdateLogstashDescription		Changes the name of a cluster.
elasticsearch:UpdateLogstashChargeType		Switches the billing method of a cluster from pay-as-you-go to subscription.
elasticsearch:DeleteLogstash		Releases a pay-as-you-go cluster.
elasticsearch:CancelLogstashDeletion		Restores a cluster that is frozen after it is released.

Configure clusters

Action	Resource	Action description
elasticsearch:UpdateLogstashSettings	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Updates the configuration of a cluster.
elasticsearch:ListExtendfiles		Queries the third-party libraries that are configured for a cluster.
elasticsearch:UpdateExtendfiles		Updates the third-party libraries that are configured for a cluster.

Manage plug-ins

Action	Resource	Action description
elasticsearch:ListPlugin	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Queries a list of plug-ins.
elasticsearch:InstallSystemPlugin		Installs a built-in plug-in.
elasticsearch:UninstallSystemPlugin		Uninstalls a built-in plug-in.

Monitor clusters and query logs

Action	Resource	Action description
elasticsearch:ListAvailableEsInstanceIds	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Queries the Elasticsearch clusters that have X-Pack monitoring capabilities and can be associated with a Logstash cluster.
elasticsearch:ValidateConnection		Tests the connectivity between a Logstash cluster and its associated Elasticsearch cluster when you configure the X-Pack Monitoring feature for the Logstash cluster.
elasticsearch:UpdateXpackMonitorConfig		Updates the configurations of the X-Pack Monitoring feature of a Logstash cluster.
elasticsearch:DescribeXpackMonitorConfig		Queries the configurations of the X-Pack Monitoring feature of a Logstash cluster.
elasticsearch:ListLogstashLog		Queries the logs of a Logstash cluster.

Manage tasks

Action	Resource	Action description
elasticsearch:InterruptLogstashTask	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Suspends a change task.
elasticsearch:ResumeLogstashTask		Resumes a change task.

Manage pipelines

Action	Resource	Action description
elasticsearch:CreatePipelines	acs:elasticsearch:<yourRegionId>:<yourAccountId>:logstashes/<yourInstanceId>	Creates a pipeline.
elasticsearch:ListPipeline		Queries a list of pipelines.
elasticsearch:DescribePipeline		Queries the configuration of a pipeline.
elasticsearch:UpdatePipelines		Updates the configuration of a pipeline.
elasticsearch:RunPipelines		Deploys a pipeline immediately.
elasticsearch:StopPipelines		Stops a pipeline.
elasticsearch:UpdatePipelineManagementConfig		Updates the pipeline management method.
elasticsearch:DescribePipelineManagementConfig		Queries pipeline management configurations.
elasticsearch:ListPipelineIds		Tests the connectivity between a Logstash cluster and the Kibana console of an Elasticsearch cluster, and queries the IDs of pipelines that are created in the Kibana console of the Elasticsearch cluster.
elasticsearch:DeletePipelines		Deletes a pipeline.

Beats

Action	Resource	Action description
elasticsearch:CreateCollector	acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/<yourCollectorId>	Creates a shipper.
elasticsearch:DescribeCollector		Queries the details of a shipper.
elasticsearch:ReinstallCollector		Installs a shipper that failed to be installed when you create the shipper.
elasticsearch:ListCollectors	acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/*	Queries a list of shippers.
elasticsearch:ListDefaultCollectorConfigurations		Queries the default configuration files of shippers.
elasticsearch:UpdateCollectorName	acs:elasticsearch:<yourRegionId>:<yourAccountId>:collectors/<yourCollectorId>	Changes the name of a shipper.
elasticsearch:UpdateCollector		Updates the information about a shipper.
elasticsearch:StartCollector		Starts a shipper.
elasticsearch:RestartCollector		Restarts a shipper.
elasticsearch:StopCollector		Stops a shipper.
elasticsearch:DeleteCollector		Deletes a shipper.
elasticsearch:ListEcsInstances		Queries a list of Elastic Compute Service (ECS) instances.
elasticsearch:ModifyDeployMachine		Changes the ECS instances on which a shipper is installed.
elasticsearch:ListNodes		Queries the statuses of ECS instances on which a shipper is installed.
elasticsearch:ListAckClusters	acs:elasticsearch:<yourRegionId>:<yourAccountId>:ackClusters/*	Queries a list of Container Service for Kubernetes (ACK) clusters.
elasticsearch:ListAckNamespaces	acs:elasticsearch:<yourRegionId>:<yourAccountId>:ackClusters/<yourClusterId>	Queries all namespaces of an ACK cluster.
elasticsearch:DescribeAckOperator		Queries the information about ES-operator that is installed for an ACK cluster.
elasticsearch:InstallAckOperator		Installs ES-operator for an ACK cluster.

Access control

Action	Resource	Action description
elasticsearch:InitializeOperationRole	acs:elasticsearch:<yourRegionId>:<yourAccountId>:instances/*	Creates a service-linked role.

CloudMonitor

Action	Resource	Action description
cms:ListProductOfActiveAlert	*	Queries the services for which CloudMonitor is activated.
cms:ListAlarm		Queries the settings of a specified alert rule or all alert rules.
cms:QueryMetricList		Queries the monitoring data of a cluster over a specific period of time.

VPCs and vSwitches displayed on the Elasticsearch buy page

Action	Resource	Action description
elasticsearch:DescribeVpcs	acs:elasticsearch:<yourRegionId>:<yourAccountId>:vpc/*	Queries a list of VPCs.
elasticsearch:DescribeVswitches	acs:elasticsearch:<yourRegionId>:<yourAccountId>:vswitch/*	Queries a list of vSwitches.

Parameters

This section describes the parameters that are contained in the Resource element in the preceding section.

<yourRegionId>: Set this parameter to the region ID of your Elasticsearch or Logstash cluster. You can also set this parameter to an asterisk (*) to indicate all regions. The following table lists the IDs of all regions where Elasticsearch and Logstash are available.

Region		Region ID
China	China (Shanghai)	cn-shanghai
	China (Shenzhen)	cn-shenzhen
	China (Qingdao)	cn-qingdao
	China (Zhangjiakou)	cn-zhangjiakou
	China (Beijing)	cn-beijing
	China (Hangzhou)	cn-hangzhou
	China (Hong Kong)	cn-hongkong
Asia Pacific	Singapore	ap-southeast-1
	Malaysia (Kuala Lumpur)	ap-southeast-3
	Japan (Tokyo)	ap-northeast-1
	Australia (Sydney)	ap-southeast-2
	Indonesia (Jakarta)	ap-southeast-5
Europe & Americas	US (Virginia)	us-east-1
	US (Silicon Valley)	us-west-1
	Germany (Frankfurt)	eu-central-1
	UK (London)	eu-west-1
Middle East & India	India (Mumbai)	ap-south-1

<yourAccountId>: Set this parameter to the ID of your Alibaba Cloud account. You can also set this parameter to an asterisk (*) to indicate all accounts.
<yourInstanceId>: Set this parameter to the ID of your Elasticsearch or Logstash cluster. You can also set this parameter to an asterisk (*) to indicate all clusters.
<yourCollectorId>: Set this parameter to the ID of your Beats shipper.
<yourClusterId>: Set this parameter to the ID of the ACK cluster for which your Beats shipper is installed.