The Elasticsearch service-linked role AliyunServiceRoleForElasticsearchCollector is a RAM role that is used to create and manage Beats shippers and grant access permissions on other Alibaba Cloud services. This topic describes the use scenarios of the service-linked role and how to delete the role.
Background information
For more information about the service-linked role, see Service-linked roles.
Scenarios
When you create and manage a Beats shipper, you must use the service-linked role AliyunServiceRoleForElasticsearchCollector to authorize the shipper to perform specific operations on an Elastic Compute Service (ECS) instance or Container Service for Kubernetes (ACK) cluster.
Overview of AliyunServiceRoleForElasticsearchCollector
Elasticsearch can create and manage a Beats shipper only after it assumes a role that has the required permissions. If such a role does not exist, Elasticsearch automatically creates the service-linked role AliyunServiceRoleForElasticsearchCollector and grants the required permissions to the role. Elasticsearch assumes the role to call the related API operation and enables the Beats shipper to collect data from an ECS instance or ACK cluster. The following descriptions provide detailed information about the role:
- Role name: AliyunServiceRoleForElasticsearchCollector
- Name of the permission policy for the role: AliyunServiceRolePolicyForElasticsearchCollector
- Document of the permission policy:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] } - Service name: collector.elasticsearch.aliyuncs.com
- Permission required to create or delete the service-linked role: ram:CreateServiceLinkedRole
Delete the service-linked role
Before you delete the AliyunServiceRoleForElasticsearchCollector service-linked role, you must delete all the Beats shippers that depend on the role.
For more information about how to delete a service-linked role, see Delete a service-linked role.
FAQ
Q: Why am I unable to use my RAM user to create the Elasticsearch service-linked role?
- For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
- You must replace the ID
133071096032****specified in the Resource element with the ID of your Alibaba Cloud account. To obtain the ID of your Alibaba Cloud account, perform the following operations: Log on to the Alibaba Cloud Management Console and move the pointer over the profile picture in the upper-right corner. Then, you can view the ID of your Alibaba Cloud account.
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"collector.elasticsearch.aliyuncs.com"
]
}
}
}
]
}