If you want to upload a plug-in or dictionary file that is stored in Object Storage Service (OSS) in the Elasticsearch console, you can upload the file by using the OSS URL of the file. This process depends on the regular service role for Alibaba Cloud Elasticsearch. This role authorizes Elasticsearch to access the OSS URL and load the file.
Overview
A regular service role is a RAM role whose trusted entity is an Alibaba Cloud service. Regular service roles are used to authorize access across Alibaba Cloud services. For more information, see RAM role overview.
If the regular service role does not exist when you upload a dictionary by using the OSS URL of the dictionary file, you need to create the regular service role and attach the required policy to the role. This way, Elasticsearch can assume this role to access the file in the OSS URL and update dictionaries based on the file. You no longer need to change the read permission on the OSS bucket that stores the file to public read. This ensures data security.
The following descriptions provide detailed information about the role:
Trusted service name: elasticsearch.aliyuncs.com
Role name: AliyunElasticsearchAccessingOSSRole
Policy name: AliyunElasticsearchAccessingOSSRolePolicy
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "oss:GetObject", "oss:GetObjectMetadata", "oss:GetObjectMeta" ], "Resource": "*", "Effect": "Allow" } ] }
Delete the regular service role
You can delete the regular service role in the RAM console. For more information, see Delete a RAM role.
After the regular service role is deleted, the features that depend on the role cannot be used. Proceed with caution.
Example of limiting the permissions of the regular service role
You can create a custom RAM policy, define finer-grained permissions in the policy, and then attach the policy to the regular service role to limit the permissions of the role.
Add a tag to a bucket.
You can add tags to buckets and manage the permissions on the buckets based on the tags. For more information, see Manage bucket tags.
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left-side navigation tree, choose .
On the Bucket Tagging page, click Create Tag.
Add a tag to the bucket.
Create a custom RAM policy. For more information, see the "Create a custom policy on the JSON tab" section of the Create custom policies topic.
In the policy, you can define the bucket in the Resource element or specify the tag in the Condition element. The following code provides an example:
{ "Version": "1", "Statement": [ { "Action": [ "oss:GetObject", "oss:GetObjectMetadata", "oss:GetObjectMeta" ], "Resource": [ "acs:oss:*:193248xxxxxxx:*" ], "Effect": "Allow", "Condition": { "StingEquals": { "oss:BuckteTag/key1":"value1" } } } ] }Attach the custom RAM policy to the AliyunElasticsearchAccessingOSSRole role.
FAQ
Q: Why is the ElasticsearchNoPermissionForCurrentBucket error code returned when I call API operations such as UpdateDict, UpdateHotIkDicts, UpdateSynonymsDicts, and UpdateAliwsDict?
A: For Elasticsearch clusters deployed in the cloud-native control architecture, such as Elasticsearch clusters of V7.16, V8.5, or V8.9, only the regular service role for Elasticsearch can be used to enable the clusters to read dictionary files stored in OSS. The clusters cannot access public-read buckets. You need complete authorization on the authorization page. The regular service role is required in the following scenarios: OSS-based synonym dictionary update, standard update and rolling update of IK dictionaries, and dictionary update for the analysis-aliws plug-in.