DEV Community

Cover image for How to Seamlessly Integrate OSS with Alibaba Cloud Elasticsearch Using Regular Service Roles
A_Lucas
A_Lucas

Posted on

How to Seamlessly Integrate OSS with Alibaba Cloud Elasticsearch Using Regular Service Roles

Overview

Regular service roles are a type of RAM role that authorizes Alibaba Cloud services to access each other securely. This guide provides a step-by-step approach to creating and managing a regular service role for Alibaba Cloud Elasticsearch to upload plug-ins or dictionary files from your Object Storage Service (OSS) securely.

What is a Regular Service Role?

A regular service role in Alibaba Cloud is a RAM role authorized to act on behalf of other Alibaba Cloud services. This role ensures seamless and secure integration between two Alibaba Cloud services without changing public read permissions.

Step 1: Create a Regular Service Role

If the regular service role does not exist when you upload a dictionary via an OSS URL, you must create this role and attach the required policy.

  1. Trusted Service Name: elasticsearch.aliyuncs.com
  2. Role Name: AliyunElasticsearchAccessingOSSRole
  3. Policy Name: AliyunElasticsearchAccessingOSSRolePolicy

Policy Document:

1{
2  "Version": "1",
3  "Statement": [
4    {
5      "Action": [
6        "oss:GetObject",
7        "oss:GetObjectMetadata",
8        "oss:GetObjectMeta"
9      ],
10      "Resource": "*",
11      "Effect": "Allow"
12    }
13  ]
14}
Enter fullscreen mode Exit fullscreen mode

Step 2: Attach the Policy to the Regular Service Role

Log in to the RAM console and attach the above policy to the AliyunElasticsearchAccessingOSSRole. This enables Elasticsearch to assume this role to access files in the OSS URL and update dictionaries based on the file, ensuring data security.

Example of Limiting the Permissions of the Regular Service Role

To create more secure and granulated permissions, you can create a custom RAM policy and attach it to the regular service role.

Example Custom Policy

1{
2  "Version": "1",
3  "Statement": [
4    {
5      "Action": [
6        "oss:GetObject",
7        "oss:GetObjectMetadata",
8        "oss:GetObjectMeta"
9      ],
10      "Resource": [
11        "acs:oss:*:193248xxxxxxx:*"
12      ],
13      "Effect": "Allow",
14      "Condition": {
15        "StringEquals": {
16          "oss:BucketTag/key1":"value1"
17        }
18      }
19    }
20  ]
21}
Enter fullscreen mode Exit fullscreen mode

Adding Tags to a Bucket

To manage permissions efficiently, you can add tags to buckets and control access based on these tags.

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. Find and click the desired bucket.
  3. Choose Bucket Settings > Bucket Tagging from the left-side navigation tree.
  4. On the Bucket Tagging page, click Create Tag and add the desired tag to the bucket.

Uploading a Dictionary File

To upload a dictionary file from OSS:

  1. Log in to the Elasticsearch console.
  2. Use the OSS URL of the file to upload the plug-in or dictionary file.

Deleting the Regular Service Role

If you need to delete the regular service role, you can do so in the RAM console. Note that after deletion, features depending on this role will cease to function.
For more detailed information, visit RAM role overview and Alibaba Cloud Elasticsearch.

FAQ

Q: Why is the ElasticsearchNoPermissionForCurrentBucket error received during operations like UpdateDict or UpdateHotIkDicts?

A: For Elasticsearch clusters using the cloud-native control architecture, only the regular service role for Elasticsearch can enable the clusters to read dictionary files stored in OSS. You must complete the authorization on the authorization page. This role is necessary for scenarios such as updating OSS-based synonym dictionaries, standard rolling updates of IK dictionaries, and dictionary updating for the analysis-aliws plug-in.

Conclusion

Using regular service roles ensures secure and efficient integration between Alibaba Cloud Elasticsearch and OSS, allowing you to upload and manage dictionary files seamlessly without compromising on data security.

Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to take the first step towards transforming your data into a visual masterpiece.

Please Click here, Embark on Your 30-Day Free Trial

Top comments (0)