When you access Kibana over a virtual private cloud (VPC) or create and manage Beats shippers, Elasticsearch needs to assume the related service-linked role to access the resources of other Alibaba Cloud services. If the service-linked role does not exist, Elasticsearch automatically creates the role when you perform the preceding operations. This topic describes Elasticsearch service-linked roles and describes how to delete a service-linked role.
Scenarios
This section describes the use scenarios of Elasticsearch service-linked roles.
AliyunServiceRoleForElasticsearch: The role is required when you enable the Private Network Access feature of Kibana for an Elasticsearch cluster that is deployed in the cloud-native control architecture.
AliyunServiceRoleForElasticsearchCollector: The role is required when you create and manage Beats shippers.
For more information about service-linked roles, see Service-linked roles.
Description
AliyunServiceRoleForElasticsearch
If a role that has the required permissions does not exist when you enable the Private Network Access feature of Kibana for an Elasticsearch cluster, Elasticsearch automatically creates the service-linked role and grants the required permissions to the role. Then, Elasticsearch assumes the role and calls the PrivateLink API to create an endpoint and associate the endpoint with a Kibana node in the cluster. This way, you can access Kibana over a VPC. The following descriptions provide detailed information about the role:
Role name: AliyunServiceRoleForElasticsearch
Policy name: AliyunServiceRolePolicyForElasticsearch
Policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}
Service name: elasticsearch.aliyuncs.com Permission required to create the role: ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
If a role that has the required permissions does not exist when you create and manage a Beats shipper, Elasticsearch automatically creates the service-linked role and grants the required permissions to the role. Then, Elasticsearch assumes the role and calls the related API operation to enable the Beats shipper to collect data from an Elastic Compute Service (ECS) instance or a Container Service for Kubernetes (ACK) cluster. The following descriptions provide detailed information about the role:
Role name: AliyunServiceRoleForElasticsearchCollector
Policy name: AliyunServiceRolePolicyForElasticsearchCollector
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }
Service name: collector.elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
Delete a service-linked role
Before you delete a service-linked role, you must delete all tasks or devices that depend on the role. For more information about how to delete a service-linked role, see Delete a service-linked role.
FAQ
Q: Why am I unable to use my RAM user to create an Elasticsearch service-linked role?
A: Only Alibaba Cloud accounts and RAM users that have the CreateServiceLinkedRole
permission can be used to create a service-linked role. Therefore, if your RAM user cannot be used to create the service-linked role, you must attach the following policy to your RAM user. For more information, see Grant permissions to RAM users.
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}
You must replace the ID
133071096032****
specified in the Resource element with the ID of your Alibaba Cloud account.To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.
You must replace
XXX.aliyuncs.com
specified for ram:ServiceName with the service name of the service-linked role that you want to create.Service name of the service-linked role AliyunServiceRoleForElasticsearch: elasticsearch.aliyuncs.com
Service name of the service-linked role AliyunServiceRoleForElasticsearchCollector: collector.elasticsearch.aliyuncs.com