Search with OpenSearch IAM Policies
Learn about the required IAM policies and permission details for Search with OpenSearch.
Service and User Permissions
To create or manage a cluster, you need to configure permissions that grant access for the service to create and manage the required Networking resources, in addition to user permissions to create and manage Search with OpenSearch resources. The Networking permissions need to be configured for the compartment that contains the Networking resources, so if the cluster is in a different compartment from the VCN and subnet, ensure that the Networking permissions are configured for the compartment containing the VCN and subnet.
Allow service opensearch to manage vnics in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to manage vcns in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to use subnets in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow service opensearch to use network-security-groups in compartment <NETWORK_RESOURCES_COMPARTMENT>
Change to User Permissions
Search with OpenSearch is transitioning to requiring policies with user permissions to grant access to Networking resources instead of service permissions, for more information, see Permissions for Networking resources changing from service to user permissions. During the transition, Search with OpenSearch requires both of the following policies:
Policies with service permissions granting access to Networking resources, as described in Service and User Permissions. Existing Search with OpenSearch policies created before this change was announced include service permissions statements. No change is needed for these policies at this time.
Policies with user permissions granting access to Networking resources. If a user doesn't have this access, you need to create a policy granting them access to create and manage the required Networking resources. The following policy is an example with policy statements granting access to Networking and Search with OpenSearch resources to the custom group
SearchOpenSearchAdmins
:Allow group SearchOpenSearchAdmins to manage vnics in compartment <NETWORK_RESOURCES_COMPARTMENT> Allow group SearchOpenSearchAdmins to manage vcns in compartment <NETWORK_RESOURCES_COMPARTMENT> Allow group SearchOpenSearchAdmins to use subnets in compartment <NETWORK_RESOURCES_COMPARTMENT> Allow group SearchOpenSearchAdmins to use network-security-groups in compartment <NETWORK_RESOURCES_COMPARTMENT> Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <CLUSTER
The permissions to Networking resources included in this example are required as specified. You can configure the permissions to Search with OpenSearch resources, specified in the last line in this example, with more granularity.
Resource Types
Search with OpenSearch offers both aggregate and individual resource-types for writing policies.
- Aggregate Resource Type
-
opensearch-family
- Individual Resource Types
-
opensearch-clusters opensearch-cluster-backups opensearch-work-requests
You can use the aggregate resource type to write fewer policies. A policy that uses
opensearch-family
is equivalent to writing one with separate statements
for each of the individual resource types.
Sample Policies
The following policy grants access to the group SearchOpenSearchAdmins to create and manage all OCI with Search with OpenSearch resources.
Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <YOUR_COMPARTMENT>
To restrict access to a single resource type, use one of the following policies:
Allow group SearchOpenSearchAdmins to manage opensearch-clusters in compartment <YOUR_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-cluster-backups in compartment <YOUR_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-work-requests in compartment <YOUR_COMPARTMENT>
If you're new to policies, see Getting Started with Policies and Common Policies.
Permissions Required for API Operations
The following table lists the API operations in a logical order, grouped by resource type.
API Operation | Permissions Required to Use the Operation |
---|---|
BackupElasticsearchCluster
|
OPENSEARCH_CLUSTER_MANAGE |
ChangeElasticsearchClusterCompartment |
OPENSEARCH_CLUSTER_MANAGE |
CreateElasticsearchCluster |
OPENSEARCH_CLUSTER_MANAGE |
DeleteElasticsearchCluster |
OPENSEARCH_CLUSTER_MANAGE |
GetElasticsearchCluster
|
OPENSEARCH_CLUSTER_INSPECT |
ListElasticsearchClusters
|
OPENSEARCH_CLUSTER_INSPECT |
ResizeElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
RestoreElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
UpdateElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
UpgradeElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
ChangeElasticsearchClusterBackupCompartment
|
OPENSEARCH_CLUSTER_BACKUP_MANAGE |
DeleteElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_MANAGE |
ExportElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
GetElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_INSPECT |
ListElasticsearchClusterBackups
|
OPENSEARCH_CLUSTER_BACKUP_INSPECT |
RestoreElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
UpdateElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
GetElasticsearchClusterNode
|
OPENSEARCH_CLUSTER_NODE_INSPECT |
ListElasticsearchClusterNodes
|
OPENSEARCH_CLUSTER_NODE_INSPECT |
GetWorkRequest |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequestErrors |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequestLogs |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequests |
OPENSEARCH_WORK_REQUEST_INSPECT |