Oracle Cloud Infrastructure Documentation

Search with OpenSearch IAM Policies

Learn about the required IAM policies and permission details for Search with OpenSearch.

Service and User Permissions

To create or manage a cluster, you need to configure permissions that grant access for the service to create and manage the required Networking resources, in addition to user permissions to create and manage Search with OpenSearch resources. The Networking permissions need to be configured for the compartment that contains the Networking resources, so if the cluster is in a different compartment from the VCN and subnet, ensure that the Networking permissions are configured for the compartment containing the VCN and subnet.

The following policy example includes the required service permissions for Networking resources and user permissions for Search with OpenSearch resources:
Allow service opensearch to manage vnics in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to manage vcns in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to use subnets in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to use network-security-groups in compartment <NETWORK_RESOURCES_COMPARTMENT>

Change to User Permissions

Search with OpenSearch is transitioning to requiring policies with user permissions to grant access to Networking resources instead of service permissions, for more information, see Permissions for Networking resources changing from service to user permissions. During the transition, Search with OpenSearch requires both of the following policies:

  • Policies with service permissions granting access to Networking resources, as described in Service and User Permissions. Existing Search with OpenSearch policies created before this change was announced include service permissions statements. No change is needed for these policies at this time.

  • Policies with user permissions granting access to Networking resources. If a user doesn't have this access, you need to create a policy granting them access to create and manage the required Networking resources. The following policy is an example with policy statements granting access to Networking and Search with OpenSearch resources to the custom group SearchOpenSearchAdmins: 

    Allow group SearchOpenSearchAdmins to manage vnics in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage vcns in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to use subnets in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to use network-security-groups in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <CLUSTER

    The permissions to Networking resources included in this example are required as specified. You can configure the permissions to Search with OpenSearch resources, specified in the last line in this example, with more granularity.

Resource Types

Search with OpenSearch offers both aggregate and individual resource-types for writing policies.

Aggregate Resource Type
opensearch-family
Individual Resource Types
opensearch-clusters
opensearch-cluster-backups
opensearch-work-requests

You can use the aggregate resource type to write fewer policies. A policy that uses opensearch-family is equivalent to writing one with separate statements for each of the individual resource types.

Sample Policies

The following policy grants access to the group SearchOpenSearchAdmins to create and manage all OCI with Search with OpenSearch resources.

Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <YOUR_COMPARTMENT>

To restrict access to a single resource type, use one of the following policies:

Allow group SearchOpenSearchAdmins to manage opensearch-clusters in compartment <YOUR_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-cluster-backups in compartment <YOUR_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-work-requests in compartment <YOUR_COMPARTMENT>

If you're new to policies, see Getting Started with Policies and Common Policies.

Permissions Required for API Operations

The following table lists the API operations in a logical order, grouped by resource type.

API Operation Permissions Required to Use the Operation
BackupElasticsearchCluster OPENSEARCH_CLUSTER_MANAGE
ChangeElasticsearchClusterCompartment OPENSEARCH_CLUSTER_MANAGE
CreateElasticsearchCluster OPENSEARCH_CLUSTER_MANAGE
DeleteElasticsearchCluster OPENSEARCH_CLUSTER_MANAGE
GetElasticsearchCluster OPENSEARCH_CLUSTER_INSPECT
ListElasticsearchClusters OPENSEARCH_CLUSTER_INSPECT
ResizeElasticsearchCluster OPENSEARCH_CLUSTER_USE
RestoreElasticsearchCluster OPENSEARCH_CLUSTER_USE
UpdateElasticsearchCluster OPENSEARCH_CLUSTER_USE
UpgradeElasticsearchCluster OPENSEARCH_CLUSTER_USE
ChangeElasticsearchClusterBackupCompartment OPENSEARCH_CLUSTER_BACKUP_MANAGE
DeleteElasticsearchClusterBackup OPENSEARCH_CLUSTER_BACKUP_MANAGE
ExportElasticsearchClusterBackup OPENSEARCH_CLUSTER_BACKUP_USE
GetElasticsearchClusterBackup OPENSEARCH_CLUSTER_BACKUP_INSPECT
ListElasticsearchClusterBackups OPENSEARCH_CLUSTER_BACKUP_INSPECT
RestoreElasticsearchClusterBackup OPENSEARCH_CLUSTER_BACKUP_USE
UpdateElasticsearchClusterBackup OPENSEARCH_CLUSTER_BACKUP_USE
GetElasticsearchClusterNode OPENSEARCH_CLUSTER_NODE_INSPECT
ListElasticsearchClusterNodes OPENSEARCH_CLUSTER_NODE_INSPECT
GetWorkRequest OPENSEARCH_WORK_REQUEST_INSPECT
ListWorkRequestErrors OPENSEARCH_WORK_REQUEST_INSPECT
ListWorkRequestLogs OPENSEARCH_WORK_REQUEST_INSPECT
ListWorkRequests OPENSEARCH_WORK_REQUEST_INSPECT