Custom policies give you finer-grained permission control than the built-in system policies. Use them when you need to grant access to specific clusters, include CloudMonitor or tag permissions, or restrict what a RAM user can do at the API level.
When to use a custom policy
The following system policies cover common authorization scenarios. If they don't fit your needs, create a custom policy.
| System policy | Grants | For |
|---|---|---|
AliyunElasticsearchReadOnlyAccess | Read-only access to Elasticsearch or Logstash clusters | Read-only users |
AliyunElasticsearchFullAccess | Full management access to Elasticsearch clusters, Logstash clusters, and Beats shippers | Administrators |
System policies do not include permissions for CloudMonitor or tags. To grant those, create a custom policy and attach it separately.
Custom policies apply only at the account level, not at the resource group level. To show only specific clusters to a RAM user in the console, use a resource group to grant the relevant cluster permissions. For more information, see Use a resource group to grant permissions on a specific cluster.
Prerequisites
Before you begin, ensure that you have:
A solid understanding of policy structure and syntax. For more information, see Policy structure and syntax
Quick reference: Choose a policy example
| Scenario | Policy example |
|---|---|
| Grant a RAM user full admin access to all Elasticsearch clusters | Policy for an administrator |
| Grant a RAM user access to a specific cluster, including CloudMonitor and tag permissions | Policy for operation permissions on a specific cluster |
| Grant a RAM user permission to call specific Elasticsearch API operations | Policy for API operations |
Create a custom policy
Follow the steps in Create a custom policy on the JSON tab and enter a policy document based on your requirements. You can also import an existing system policy as a starting point, then modify it.
Example: Grant access to VPCs and vSwitches
{
"Version": "1",
"Statement": [
{
"Action": [
"elasticsearch:DescribeVpcs",
"elasticsearch:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Example: Grant permission to pay for orders
{
"Version": "1",
"Statement": [
{
"Action": [
"bss:PayOrder"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Policy examples
Before using the sample policy documents below, replace the following placeholders with your actual values. Wildcards (*) are not supported for these fields.
| Placeholder | Description | How to get it |
|---|---|---|
<yourAccountId> | Your Alibaba Cloud account ID | Log on to the Alibaba Cloud Management Console, then hover over your profile picture in the upper-right corner to view your account ID |
<yourInstanceId> | The ID of the Elasticsearch cluster you want to grant access to | See View the basic information of a cluster |
Policy for an administrator
Grants a RAM user full operation permissions on all Elasticsearch clusters under the account <yourAccountId>.
{
"Statement": [
{
"Action": [
"elasticsearch:*"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
},
{
"Action": [
"cms:DescribeActiveMetricRuleList",
"cms:ListAlarm",
"cms:QueryMetricList"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticsearch:ListTags"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:tags/*"
},
{
"Action": [
"elasticsearch:ListInstance",
"elasticsearch:ListSnapshotReposByInstanceId"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
},
{
"Action": [
"elasticsearch:ListLogstash"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:logstashes/*"
},
{
"Action": [
"elasticsearch:ListCollectors"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
}
],
"Version": "1"
}Policy for operation permissions on a specific cluster
Grants a RAM user the following permissions under the account <yourAccountId>:
All Elasticsearch operations on the cluster
<yourInstanceId>CloudMonitor permissions (required because the Advanced Monitoring and Alerting, CloudMonitor, and Tag interfaces are embedded in the cluster management page of the Elasticsearch console)
Permission to view all clusters
Permission to view all tags on clusters
Permission to view Beats shippers
{
"Statement": [
{
"Action": [
"elasticsearch:*"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/<yourInstanceId>"
},
{
"Action": [
"cms:DescribeActiveMetricRuleList",
"cms:ListAlarm",
"cms:QueryMetricList"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticsearch:ListTags"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:tags/*"
},
{
"Action": [
"elasticsearch:ListInstance",
"elasticsearch:ListSnapshotReposByInstanceId"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:instances/*"
},
{
"Action": [
"elasticsearch:ListLogstash"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:logstashes/*"
},
{
"Action": [
"elasticsearch:ListCollectors"
],
"Effect": "Allow",
"Resource": "acs:elasticsearch:*:<yourAccountId>:collectors/*"
}
],
"Version": "1"
}Policy for API operations
The following table lists the Resource and Action values to use when granting permissions to call Elasticsearch API operations.
| Method | URI | Resource | Action |
|---|---|---|---|
| GET | /instances | instances/* | ListInstance |
| POST | /instances | instances/* | CreateInstance |
| GET | /instances/instanceId | instances/instanceId | DescribeInstance |
| DELETE | /instances/instanceId | instances/instanceId | DeleteInstance |
| POST | /instances/instanceId/actions/restart | instances/instanceId | RestartInstance |
| PUT | /instances/instanceId | instances/instanceId | UpdateInstance |
Policy element reference
Use this reference when writing or reviewing policy documents.
Action
Specifies the operations the policy allows or denies.
| Action | Description |
|---|---|
elasticsearch:* | All Elasticsearch operations. Does not include permissions for Advanced Monitoring and Alerting, CloudMonitor, or Tag — specify those separately. |
elasticsearch:ListInstance | Query Elasticsearch clusters. |
elasticsearch:ListSnapshotReposByInstanceId | Query shared Object Storage Service (OSS) repositories. |
elasticsearch:ListTags | Query all tags on Elasticsearch clusters. |
elasticsearch:ListCollectors | Query Beats shippers. |
elasticsearch:ListLogstash | Query Logstash clusters. |
elasticsearch:DescribeVpcs, elasticsearch:DescribeVSwitches | Access the virtual private clouds (VPCs) and vSwitches belonging to the Alibaba Cloud account. Required when a RAM user needs to select a VPC or vSwitch during resource purchase. |
cms:DescribeActiveMetricRuleList | Query services for which CloudMonitor is activated within the account. |
cms:ListAlarm | Query all or specific alert rules. |
cms:QueryMetricList | Query monitoring data for instances or clusters of a specific service over a period. |
bss:PayOrder | Pay for orders. Required when authorizing a RAM user to purchase resources — without it, the system returns an insufficient permissions error at checkout. |
Effect
Determines whether the policy statement allows or denies the specified actions.
| Value | Description |
|---|---|
Allow | The RAM user can perform the operations in the Action element. |
Deny | The RAM user cannot perform the operations in the Action element. |
Resource
Specifies which resources the policy applies to. For the full list of supported authorization objects, see Elasticsearch objects supported for authorization.
| Value | Description |
|---|---|
* | All clusters. |
<yourInstanceId> | A specific cluster. Replace with the actual cluster ID. See View the basic information of a cluster. |
What's next
After creating the custom policy, attach it to a RAM user from the RAM console or using a RAM SDK. For more information, see Grant permissions to RAM users.