在阿里云Elasticsearch(簡稱ES)中,通過PrivateLink的終端節點實現Kibana或實例的私網訪問、管理Beats采集器、手動進行數據備份恢復和使用ES集群彈性擴縮容功能時,需要通過RAM角色扮演(服務關聯角色)的方式訪問其他云服務的資源。在您執行上述特定操作時,如果未創建過對應的服務關聯角色,系統將自動為您創建。本文將對ES和ES Serverless的服務關聯角色進行介紹,并介紹如何刪除服務關聯角色。
應用場景
服務關聯角色的應用場景如下:
AliyunServiceRoleForElasticsearch:需要在用戶VPC中訪問云原生管控的ES節點或Kibana時。
AliyunServiceRoleForElasticsearchCollector:創建和管理Beats采集器時。
AliyunServiceRoleForElasticsearchOSS :手動備份或恢復數據,需要使用自動授權功能關聯自定義OSS Bucket時。
AliyunServiceRoleForElasticsearchOps:執行集群彈性擴縮容任務時。
AliyunServiceRoleForESServerless:ES Serverless應用或應用的Kibana開啟私網訪問功能時。
關于服務關聯角色的詳細信息,請參見服務關聯角色。
ES服務關聯角色介紹
AliyunServiceRoleForElasticsearch
當您需要在VPC內訪問云原生管控ES實例的節點或Kibana時,如果不存在具有執行任務權限的角色,ES將自動創建對應角色(服務關聯角色),并為該角色授予相應的權限。ES通過扮演該角色調用私網連接PrivateLink或ECS網絡配置相關的API,為您創建如終端節點等資源并完成相關配置,以滿足您Kibana私網訪問等需求。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearch
角色權限策略名稱:AliyunServiceRolePolicyForElasticsearch
角色權限策略內容:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:AssignIpv6Addresses",
"ecs:AssignPrivateIpAddresses",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteSecurityGroup",
"ecs:DescribeInstanceAttribute",
"ecs:DescribeInstances",
"ecs:DescribeNetworkInterfaceAttribute",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassignIpv6Addresses",
"ecs:UnassignPrivateIpAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:AddZoneRecord",
"pvtz:DeleteZone",
"pvtz:DeleteZoneRecord",
"pvtz:DescribeZoneRecords",
"pvtz:UpdateZoneRecord"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "elasticsearch.aliyuncs.com"
}
}
}
]
}服務名稱:elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的用戶權限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchCollector
創建和管理Beats采集器時,如果不存在具有執行任務權限的角色,ES將自動創建對應角色(服務關聯角色),并為該角色授予相應的權限。ES通過扮演該角色即可調用OpenAPI,完成Beats采集器在ECS或Kubernetes版ACK目標機器上的數據采集任務。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearchCollector
角色權限策略名稱:AliyunServiceRolePolicyForElasticsearchCollector
角色權限策略內容:
{ "Version": "1", "Statement": [ { "Action": [ "oos:CancelExecution", "oos:DeleteExecutions", "oos:GenerateExecutionPolicy", "oos:GetExecutionTemplate", "oos:ListExecutionLogs", "oos:ListExecutions", "oos:ListTaskExecutions", "oos:NotifyExecution", "oos:StartExecution", "oos:ListTagResources", "oos:TagResources", "oos:UntagResources", "oos:CreateTemplate", "oos:DeleteTemplate", "oos:GetTemplate", "oos:ListExecutionRiskyTasks", "oos:ListTemplates", "oos:UpdateTemplate" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cs:GetUserConfig", "cs:GetClusters", "cs:GetClusterById" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "collector.elasticsearch.aliyuncs.com" } } }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram:*:*:role/aliyunoosaccessingecs4esrole", "Condition": { "StringEquals": { "acs:Service": "oos.aliyuncs.com" } } } ] }服務名稱:collector.elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的用戶權限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOSS
當您需要使用您的OSS進行數據備份和恢復數據時,如果不存在具有執行任務權限的角色,ES將自動創建對應角色(服務關聯角色),并為該角色授予相應的權限。ES通過扮演該角色通過OpenAPI訪問您的OSS bucket,完成將數據備份或數據恢復的任務。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearchOSS
角色權限策略名稱:AliyunServiceRolePolicyForElasticsearchOSS
角色權限策略內容:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:GetObjectMeta",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:es-alicloud-*/*",
"acs:oss:*:*:es-alicloud-*",
"acs:oss:*:*:*/*es-alicloud*/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject",
"oss:GetObjectMeta",
"oss:GetObjectVersion",
"oss:GetObjectVersionTagging",
"oss:DeleteObject",
"oss:PutObject",
"oss:GetBucketVersioning",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"oss:BucketTag/es-alicloud": [
"es-alicloud"
]
}
}
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.elasticsearch.aliyuncs.com"
}
}
}
]
}服務名稱:oss.elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的用戶權限:ram:CreateServiceLinkedRole
AliyunServiceRoleForElasticsearchOps
執行集群彈性擴縮容任務時,如果不存在具有執行任務權限的角色,ES將自動創建對應角色(服務關聯角色),并為該角色授予相應的權限。ES通過扮演該角色調用集群彈性擴縮容的OpenAPI,按照您設定的時間完成集群擴縮容任務。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForElasticsearchOps
角色權限策略名稱:AliyunServiceRolePolicyForElasticsearchOps
角色權限策略內容:
{ "Version": "1", "Statement": [ { "Action": [ "elasticsearch:ListInstance", "elasticsearch:DescribeInstance", "elasticsearch:UpdateInstance", "elasticsearch:UpdateInstanceSettings", "elasticsearch:RestartInstance", "elasticsearch:RollbackInstance", "elasticsearch:DowngradeInstance", "elasticsearch:CancelTask", "elasticsearch:DeactivateZones", "elasticsearch:ActivateZones", "elasticsearch:MigrateToOtherZone", "elasticsearch:ResumeElasticsearchTask", "elasticsearch:InterruptElasticsearchTask", "elasticsearch:UpdateAdvancedSetting", "elasticsearch:UpgradeInstanceEngineVersion", "elasticsearch:UpdateWhiteIps", "elasticsearch:UpdatePublicIps", "elasticsearch:ModifyWhiteIps", "elasticsearch:TriggerNetwork", "elasticsearch:UpdateTemplate", "elasticsearch:DescribeLogstash", "elasticsearch:UpdateLogstash", "elasticsearch:RestartLogstash", "elasticsearch:UpdateLogstashSettings", "elasticsearch:InterruptLogstashTask", "elasticsearch:ResumeLogstashTask", "elasticsearch:DowngradeLogstash" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ops.elasticsearch.aliyuncs.com" } } } ] }服務名稱:ops.elasticsearch.aliyuncs.com
執行服務關聯角色操作所需的用戶權限:ram:CreateServiceLinkedRole
ES Serverless服務關聯角色介紹
AliyunServiceRoleForESServerless
為ES Serverless應用或應用的Kibana開啟私網訪問時,如果不存在具有執行任務權限的角色,ES Serverless服務將自動創建對應角色(服務關聯角色),并為該角色授予相應的權限。ES Serverless服務通過扮演該角色調用私網連接PrivateLink的API,為您創建終端節點,以滿足您在VPC內訪問應用或Kibana的需求。該角色的相關說明如下:
角色名稱:AliyunServiceRoleForESServerless
角色權限策略名稱:AliyunServiceRolePolicyForESServerless
角色權限策略內容:
{
"Version": "1",
"Statement": [{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:DeleteVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:OpenPrivateLinkService",
"privatelink:CheckProductOpen",
"privatelink:UpdateVpcEndpointAttribute",
"privatelink:GetVpcEndpointAttribute",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:ListVpcEndpointSecurityGroups",
"privatelink:AttachSecurityGroupToVpcEndpoint",
"privatelink:DetachSecurityGroupFromVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute",
"vpc:DescribeVSwitches",
"vpc:DescribeVSwitchAttributes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "es-serverless.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
}
]
}服務名稱:es-serverless.aliyuncs.com
執行服務關聯角色操作所需的用戶權限:ram:CreateServiceLinkedRole
刪除服務關聯角色
刪除服務角色前,需要先刪除依賴這個服務角色的所有任務或設備。刪除服務關聯角色的具體操作,請參見刪除服務關聯角色。
常見問題
Q:為什么我的RAM用戶無法創建ES的服務關聯角色?
A:阿里云賬號或擁有CreateServiceLinkedRole權限的RAM用戶,才能創建或刪除服務關聯角色。RAM用戶無法自動創建服務關聯角色時,需要手動為其添加以下權限策略。具體操作,請參見為RAM用戶授權。
{
"Version": "1",
"Statement": [
{
"Action": "elasticsearch:InitializeOperationRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
]
}Resource中的值
133071096032****需要替換為您的阿里云賬號ID。阿里云賬號ID的獲取方法:鼠標移至控制臺右上角的用戶頭像上,即可查看到賬號ID。
ram:ServiceName中的值
XXX.aliyuncs.com需要替換為對應服務關聯角色的ram:ServiceName。AliyunServiceRoleForElasticsearch(開啟ES實例的Kibana私網訪問功能):elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchCollector(創建和管理Beats采集器):collector.elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchOSS(手動進行數據備份和恢復數據):oss.elasticsearch.aliyuncs.com
AliyunServiceRoleForElasticsearchOps(執行彈性擴縮容任務):ops.elasticsearch.aliyuncs.com
Q:為什么我的RAM用戶無法創建ES Serverless服務關聯角色AliyunServiceRoleForESServerless?
A:阿里云賬號或擁有CreateServiceLinkedRole權限的RAM用戶,才能自動創建或刪除服務關聯角色。RAM用戶無法創建服務關聯角色時,需要通過主賬號為其添加以下權限策略,具體操作,請參見為RAM用戶授權。
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:133071096032****:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"XXX.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}Resource中的值
133071096032****需要替換為您的阿里云賬號ID。阿里云賬號ID的獲取方法:鼠標移至控制臺右上角的用戶頭像上,即可查看到賬號ID。
ram:ServiceName中的值
XXX.aliyuncs.com需要替換為AliyunServiceRoleForESServerless服務關聯角色的ram:ServiceName,即es-serverless.aliyuncs.com。