Service-linked role for OpenSearch - OpenSearch - Alibaba Cloud Documentation Center

AliyunServiceRoleForOpenSearch is a Resource Access Management (RAM) service-linked role that grants OpenSearch permission to access your database data sources on your behalf.

How it works

When you configure a data source in OpenSearch — such as ApsaraDB RDS, PolarDB, or PolarDB-X — OpenSearch needs to read database metadata and update IP whitelists to establish the connection. The AliyunServiceRoleForOpenSearch role can be used to obtain permissions to access the data sources. For more information, see Service-linked roles.

Permissions

The role is bound to the AliyunServiceRolePolicyForOpenSearch policy, which grants the following permissions:

Service	Actions
ApsaraDB RDS	`DescribeDBInstanceAttribute`, `DescribeDBInstances`, `DescribeDatabases`, `DescribeDBInstanceIPArrayList`, `DescribeAccounts`, `DescribeAbnormalDBInstances`, `ModifySecurityIps`, `DescribeResourceUsage`
PolarDB	`DescribeDBClusterAttribute`, `DescribeDBClusterEndpoints`, `ModifyDBClusterAccessWhitelist`, `DescribeDBClusterAccessWhitelist`, `DescribeDBClusterParameters`
DRDS (PolarDB-X)	`DescribeDrdsInstance`, `ModifyDrdsIpWhiteList`, `DescribeDrdsDBIpWhiteList`, `DescribeRdsList`, `DescribeDrdsDB`
Data Transmission Service (DTS)	`ConfigureSubscriptionInstance`, `CreateConsumerGroup`, `StartSubscriptionInstance`, `DescribeSubscriptionInstanceStatus`, `DescribeConsumerGroup`, `DeleteConsumerGroup`
RAM	`DeleteServiceLinkedRole` (restricted to `opensearch.aliyuncs.com`)

All permissions apply to Resource: "*" with Effect: Allow, except the RAM permission, which is scoped to the OpenSearch service principal via a Condition.

View full policy JSON

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDBInstances",
                "rds:DescribeDatabases",
                "rds:DescribeDBInstanceIPArrayList",
                "rds:DescribeAccounts",
                "rds:DescribeAbnormalDBInstances",
                "rds:ModifySecurityIps",
                "rds:DescribeResourceUsage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstance",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:DescribeRdsList",
                "drds:DescribeDrdsDB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:ConfigureSubscriptionInstance",
                "dts:CreateConsumerGroup",
                "dts:StartSubscriptionInstance",
                "dts:DescribeSubscriptionInstanceStatus",
                "dts:DescribeConsumerGroup",
                "dts:DeleteConsumerGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "opensearch.aliyuncs.com"
                }
            }
        }
    ]
}

Delete the service-linked role

Before deleting AliyunServiceRoleForOpenSearch, you must release the application that is associated with this service-linked role.

To delete the role, follow the instructions in the Delete a service-linked role section of the "Service-linked roles" topic.