Elasticsearch uses service-linked roles (SLRs) to access other Alibaba Cloud services when you access Kibana or clusters over a VPC through PrivateLink, manage Beats shippers, or work with manual snapshots. Elasticsearch automatically creates these roles if they do not exist. This topic covers Elasticsearch SLRs and how to delete them.
Scenarios
Elasticsearch uses the following service-linked roles:
-
AliyunServiceRoleForElasticsearch: Required to access Kibana or a node for an Elasticsearch cluster deployed in the cloud-native control architecture over your VPC.
-
AliyunServiceRoleForElasticsearchCollector: Required to create and manage Beats shippers.
-
AliyunServiceRoleForElasticsearchOSS: Required to create or restore manual snapshots. Grants Elasticsearch access to OSS buckets.
The Service-linked roles topic explains how SLRs work.
Role details
AliyunServiceRoleForElasticsearch
When you access Kibana or a node for an Elasticsearch cluster deployed in the cloud-native control architecture over your VPC, Elasticsearch automatically creates this SLR if it does not exist. Elasticsearch then assumes the role to call PrivateLink and ECS APIs, creating endpoints and network configurations for VPC access.
-
Role name: AliyunServiceRoleForElasticsearch
-
Policy name: AliyunServiceRolePolicyForElasticsearch
-
Policy document (the following policy applies to the China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Zhangjiakou), and China (Qingdao) regions; other regions retain the original policy):
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"elasticsearch:ListInstance",
"elasticsearch:DescribeInstance",
"elasticsearch:RunEsDiagnosticCommand"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:OpenPrivateLinkService",
"privatelink:CheckProductOpen",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:DescribeAlertLogCount",
"cms:DescribeAlertLogList",
"cms:DescribeAlertLogHistogram",
"cms:DescribeSubscriptionList",
"cms:DescribeContactListByContactGroup",
"cms:DescribeContactGroupList",
"cms:DescribeContactList",
"cms:PutContact",
"cms:PutContactGroup",
"cms:DescribeSystemEventHistogram",
"cms:DescribeSystemEventMetaList",
"cms:DescribeSystemEventAttribute",
"cms:DescribeSystemEventCount",
"cms:DescribeMetricList",
"cms:DescribeMetricLast",
"cms:DescribeMetricMetaList",
"cms:DescribeConsoleViews",
"cms:QueryMetricLast",
"cms:QueryMetricList",
"cms:DescribeMetricListFromProxy",
"cms:DescribeMetricLastFromProxy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}Compared with the policy for other regions, the policy for the preceding regions adds the following capabilities:
-
ES instance query and diagnostics: Adds elasticsearch permissions (ListInstance, DescribeInstance, and RunEsDiagnosticCommand) for querying and diagnosing ES instances.
-
PrivateLink service activation: Adds privatelink permissions (OpenPrivateLinkService and CheckProductOpen) for activating PrivateLink and checking product activation status.
-
CloudMonitor: Adds cms permissions (21 actions in total) for alert log queries, contact and contact group management, system event queries, and metric data queries.
The following policy applies to other regions:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}Service name: elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
When you create or manage a Beats shipper, Elasticsearch automatically creates this SLR if it does not exist. Elasticsearch then assumes the role to enable Beats data collection from ECS instances or ACK clusters.
-
Role name: AliyunServiceRoleForElasticsearchCollector
-
Policy name: AliyunServiceRolePolicyForElasticsearchCollector
-
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] } -
Service name: collector.elasticsearch.aliyuncs.com
-
Permission required to create the role: ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOSS
When you create or restore a manual snapshot, Elasticsearch automatically creates this SLR if it does not exist. Elasticsearch then assumes the role to access your OSS bucket.
-
Role name: AliyunServiceRoleForElasticsearchOSS
-
Policy name: AliyunServiceRolePolicyForElasticsearchOSS
-
Policy document:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}Service name: oss.elasticsearch.aliyuncs.com
Permission required to create the role: ram:CreateServiceLinkedRole
Delete a service-linked role
Before you delete an SLR, delete all tasks or devices that depend on the role. Delete an SLR.
FAQ
Q: Why am I unable to use my RAM user to create an Elasticsearch service-linked role?
A: Only Alibaba Cloud accounts and RAM users with the CreateServiceLinkedRole permission can create or delete SLRs. Attach the following policy to your RAM user (Grant permissions to RAM users):
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}-
Replace
133071096032****in the Resource element with your Alibaba Cloud account ID.To find your account ID, move the pointer over your profile picture in the upper-right corner of the console and view your Account ID.
-
Replace
XXX.aliyuncs.comin ram:ServiceName with the service name of the target SLR:-
AliyunServiceRoleForElasticsearch: elasticsearch.aliyuncs.com
-
AliyunServiceRoleForElasticsearchCollector: collector.elasticsearch.aliyuncs.com
-
AliyunServiceRoleForElasticsearchOSS: oss.elasticsearch.aliyuncs.com
-