Search with OpenSearch IAM Policies
Learn about the required IAM policies and permission details for Search with OpenSearch.
User Permissions
To create or manage a cluster, you need to configure permissions to grant access for users to create and manage the required Networking resources, in addition to users permissions to create and manage Search with OpenSearch resources. The Networking permissions need to be configured for the compartment that contains the Networking resources, so if the cluster is in a different compartment from the VCN and subnet, ensure that the Networking permissions are configured for the compartment containing the VCN and subnet.
The following policy example includes the required permissions for a custom group
SearchOpenSearchAdmins:
Allow group SearchOpenSearchAdmins to manage vnics in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage vcns in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage subnets in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to use network-security-groups in compartment <NETWORK_RESOURCES_COMPARTMENT>
Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <CLUSTER_RESOURCES_COMPARTMENT>The
SearchOpenSearchAdmins group in this example refers
to a custom group that you create. See Managing
Groups for more information.The permissions to Networking resources included in this example are required as specified. You can configure the permissions for Search with OpenSearch resources, specified in the last line in this example, with more granularity.
Resource Types
Search with OpenSearch offers both aggregate and individual resource-types for writing policies.
- Aggregate Resource Type
-
opensearch-family - Individual Resource Types
-
opensearch-clusters opensearch-cluster-backups opensearch-work-requests
You can use the aggregate resource type to write fewer policies. A policy that uses
opensearch-family is equivalent to writing one with separate statements
for each of the individual resource types.
Sample Policies
The following policy grants access to the group SearchOpenSearchAdmins to create and manage all OCI with Search with OpenSearch resources.
The
SearchOpenSearchAdmins group in these examples refers
to a custom group that you create. See Managing
Groups for more information.Allow group SearchOpenSearchAdmins to manage opensearch-family in compartment <YOUR_COMPARTMENT>To restrict access to a single resource type, use one of the following policies:
Allow group SearchOpenSearchAdmins to manage opensearch-clusters in compartment <YOUR_COMPARTMENT>Allow group SearchOpenSearchAdmins to manage opensearch-cluster-backups in compartment <YOUR_COMPARTMENT>Allow group SearchOpenSearchAdmins to manage opensearch-work-requests in compartment <YOUR_COMPARTMENT>If you're new to policies, see Getting Started with Policies and Common Policies.
Permissions Required for API Operations
The following table lists the API operations in a logical order, grouped by resource type.
| API Operation | Permissions Required to Use the Operation |
|---|---|
BackupElasticsearchCluster
|
OPENSEARCH_CLUSTER_MANAGE |
ChangeElasticsearchClusterCompartment |
OPENSEARCH_CLUSTER_MANAGE |
CreateElasticsearchCluster |
OPENSEARCH_CLUSTER_MANAGE |
DeleteElasticsearchCluster |
OPENSEARCH_CLUSTER_MANAGE |
GetElasticsearchCluster
|
OPENSEARCH_CLUSTER_INSPECT |
ListElasticsearchClusters
|
OPENSEARCH_CLUSTER_INSPECT |
ResizeElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
RestoreElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
UpdateElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
UpgradeElasticsearchCluster
|
OPENSEARCH_CLUSTER_USE |
ChangeElasticsearchClusterBackupCompartment
|
OPENSEARCH_CLUSTER_BACKUP_MANAGE |
DeleteElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_MANAGE |
ExportElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
GetElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_INSPECT |
ListElasticsearchClusterBackups
|
OPENSEARCH_CLUSTER_BACKUP_INSPECT |
RestoreElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
UpdateElasticsearchClusterBackup
|
OPENSEARCH_CLUSTER_BACKUP_USE |
GetElasticsearchClusterNode
|
OPENSEARCH_CLUSTER_NODE_INSPECT |
ListElasticsearchClusterNodes
|
OPENSEARCH_CLUSTER_NODE_INSPECT |
GetWorkRequest |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequestErrors |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequestLogs |
OPENSEARCH_WORK_REQUEST_INSPECT |
ListWorkRequests |
OPENSEARCH_WORK_REQUEST_INSPECT |