全部产品
Search
文档中心

检索分析服务Elasticsearch版:阿里云ES服务关联角色

更新时间:Jan 31, 2024

在阿里云Elasticsearch(简称ES)中,通过PrivateLink的终端节点实现Kibana或服务的私网访问、管理Beats采集器和时,需要通过RAM角色扮演(服务关联角色)的方式访问其他云服务的资源。在您执行上述特定操作时,如果未创建过对应的服务关联角色,系统将自动为您创建。本文将对ES的服务关联角色进行介绍,并介绍如何删除服务关联角色。

应用场景

服务关联角色的应用场景如下:

  • AliyunServiceRoleForElasticsearch:云原生管控ES实例开启Kibana私网访问功能时。

  • AliyunServiceRoleForElasticsearchCollector:创建和管理Beats采集器时。

关于服务关联角色的详细信息,请参见服务关联角色

ES服务关联角色介绍

AliyunServiceRoleForElasticsearch

为云原生管控ES实例开启Kibana私网访问时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色调用私网连接PrivateLink的API,为您创建终端节点并关联实例的Kibana,以满足您在VPC内访问Kibana的需求。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearch

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearch

  • 角色权限策略内容:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:UpdateVpcEndpointAttribute",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:ListVpcEndpointSecurityGroups",
        "privatelink:AttachSecurityGroupToVpcEndpoint",
        "privatelink:DetachSecurityGroupFromVpcEndpoint",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "elasticsearch.aliyuncs.com"
        }
      }
    }
  ]
}

服务名称:elasticsearch.aliyuncs.com 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

AliyunServiceRoleForElasticsearchCollector

创建和管理Beats采集器时,如果不存在具有执行任务权限的角色,ES将自动创建对应角色(服务关联角色),并为该角色授予相应的权限。ES通过扮演该角色即可调用OpenAPI,完成Beats采集器在ECS或Kubernetes版ACK目标机器上的数据采集任务。该角色的相关说明如下:

  • 角色名称:AliyunServiceRoleForElasticsearchCollector

  • 角色权限策略名称:AliyunServiceRolePolicyForElasticsearchCollector

  • 角色权限策略内容:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "oos:CancelExecution",
                    "oos:DeleteExecutions",
                    "oos:GenerateExecutionPolicy",
                    "oos:GetExecutionTemplate",
                    "oos:ListExecutionLogs",
                    "oos:ListExecutions",
                    "oos:ListTaskExecutions",
                    "oos:NotifyExecution",
                    "oos:StartExecution",
                    "oos:ListTagResources",
                    "oos:TagResources",
                    "oos:UntagResources",
                    "oos:CreateTemplate",
                    "oos:DeleteTemplate",
                    "oos:GetTemplate",
                    "oos:ListExecutionRiskyTasks",
                    "oos:ListTemplates",
                    "oos:UpdateTemplate"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "cs:GetUserConfig",
                    "cs:GetClusters",
                    "cs:GetClusterById"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:DeleteServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "collector.elasticsearch.aliyuncs.com"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole",
                "Condition": {
                    "StringEquals": {
                        "acs:Service": "oos.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • 服务名称:collector.elasticsearch.aliyuncs.com

  • 执行服务关联角色操作所需的用户权限:ram:CreateServiceLinkedRole

删除服务关联角色

删除服务角色前,需要先删除依赖这个服务角色的所有任务或设备。删除服务关联角色的具体操作,请参见删除服务关联角色

常见问题

Q:为什么我的RAM用户无法创建ES的服务关联角色?

A:阿里云账号或拥有CreateServiceLinkedRole权限的RAM用户,才能创建或删除服务关联角色。RAM用户无法自动创建服务关联角色时,需要手动为其添加以下权限策略。具体操作,请参见为RAM用户授权

{
    "Version": "1",
    "Statement": [
        {
            "Action": "elasticsearch:InitializeOperationRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "acs:ram:*:133071096032****:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "XXX.aliyuncs.com"
                    ]
                }
            }
        }
    ]
}
  • Resource中的值133071096032****需要替换为您的阿里云账号ID。

    阿里云账号ID的获取方法:鼠标移至控制台右上角的用户头像上,即可查看到账号ID

  • ram:ServiceName中的值XXX.aliyuncs.com需要替换为对应服务关联角色的ram:ServiceName。

    • AliyunServiceRoleForElasticsearch(开启ES实例的Kibana私网访问功能):elasticsearch.aliyuncs.com

    • AliyunServiceRoleForElasticsearchCollector(创建和管理Beats采集器):collector.elasticsearch.aliyuncs.com