DEV Community

Cover image for Leveraging Regular Service Role for Secured Alibaba Cloud Elasticsearch Integrations
A_Lucas
A_Lucas

Posted on

Leveraging Regular Service Role for Secured Alibaba Cloud Elasticsearch Integrations

Introduction

If you want to upload a plug-in or dictionary file stored in Object Storage Service (OSS) via the Elasticsearch console, you can use the OSS URL for this process. This requires a regular service role for Alibaba Cloud Elasticsearch, authorizing Elasticsearch to access and load the file from the OSS URL without altering permissions on the OSS bucket.

Overview of Regular Service Role

What is a Regular Service Role?

A regular service role is a RAM role whose trusted entity is an Alibaba Cloud service. These roles facilitate authorized access across different Alibaba Cloud services. For more details, refer to the RAM role overview.

Creating and Using the Regular Service Role

If the regular service role does not exist when uploading a dictionary via the OSS URL, you need to create the role and attach the required policy. This way, Elasticsearch can assume the role to access the file, ensuring higher data security than making the OSS bucket publicly readable.

Role Details

  • Trusted Service Name: elasticsearch.aliyuncs.com
  • Role Name: AliyunElasticsearchAccessingOSSRole
  • Policy Name: AliyunElasticsearchAccessingOSSRolePolicy
  • Policy Document:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:GetObjectMetadata",
        "oss:GetObjectMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Deleting the Regular Service Role

You can delete the regular service role in the RAM console. However, note that deleting this role will disable features dependent on it. For more information, see Delete a RAM role.

Limiting Permissions of the Regular Service Role

To define finer-grained permissions, create a custom RAM policy and attach it to the role.

Adding a Tag to a Bucket

Tags can be used to manage bucket permissions. Here’s how to add a tag to a bucket:

1)Log on to the OSS console.

2)Navigate to Buckets > Bucket Settings > Bucket Tagging.

3)Click Create Tag and add the desired tag.

Creating a Custom RAM Policy

Create a custom policy that specifies the bucket or the tag in the condition. Example:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:GetObject",
        "oss:GetObjectMetadata",
        "oss:GetObjectMeta"
      ],
      "Resource": [
        "acs:oss:*:193248xxxxxxx:*"
      ],
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "oss:BucketTag/key1":"value1"
        }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Attach this custom policy to the AliyunElasticsearchAccessingOSSRole role.

FAQ

Why is the ElasticsearchNoPermissionForCurrentBucket error returned?

For Elasticsearch clusters deployed in the cloud-native control architecture (e.g., versions V7.16, V8.5, or V8.9), only the regular service role enables the clusters to read dictionary files stored in OSS. Ensure complete authorization on the authorization page. This role is required for:

  • OSS-based synonym dictionary updates
  • Standard and rolling updates of IK dictionaries
  • Dictionary updates for the analysis-aliws plugin

Conclusion

Implementing a regular service role in Alibaba Cloud Elasticsearch ensures secure and efficient access to OSS resources. Ready to start your journey with Elasticsearch on Alibaba Cloud? Explore our tailored Cloud solutions and services to transform your data into a visual masterpiece.
Click here to embark on Your 30-Day Free Trial

Top comments (0)