AWS::OpenSearchServerless::AccessPolicy - AWS CloudFormation

AWS::OpenSearchServerless::AccessPolicy

Creates a data access policy for OpenSearch Serverless. Access policies limit access to collections and the resources within them, and allow a user to access that data irrespective of the access mechanism or network source. For more information, see Data access control for Amazon OpenSearch Serverless.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::OpenSearchServerless::AccessPolicy", "Properties" : { "Description" : String, "Name" : String, "Policy" : String, "Type" : String } }

YAML

Type: AWS::OpenSearchServerless::AccessPolicy Properties: Description: String Name: String Policy: String Type: String

Properties

Description

The description of the policy.

Required: No

Type: String

Minimum: 1

Maximum: 1000

Update requires: No interruption

Name

The name of the policy.

Required: Yes

Type: String

Pattern: ^[a-z][a-z0-9-]{2,31}$

Minimum: 3

Maximum: 32

Update requires: Replacement

Policy

The JSON policy document without any whitespaces.

Required: Yes

Type: String

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]+

Minimum: 1

Maximum: 20480

Update requires: No interruption

Type

The type of access policy. Currently the only option is data.

Required: Yes

Type: String

Allowed values: data

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the access policy. For more information about using the Ref function, see Ref.

Examples

Create an access policy that allows access to all collections and indexes

The following example specifies an OpenSearch Serverless access policy that provides full access to the resources within my-collection to the user test-user.

For a complete sample policy that creates network, encryption, and access policies, as well as a matching collection, see Using AWS CloudFormation to create Amazon OpenSearch Serverless collections in the Amazon OpenSearch Service Developer Guide.

JSON

{ "Description":"OpenSearch Serverless access policy template", "Resources":{ "TestAccessPolicy":{ "Type":"AWS::OpenSearchServerless::AccessPolicy", "Properties":{ "Name":"test-access-policy", "Type":"data", "Description":"Access policy for my-collection", "Policy":{ "Fn::Sub":"[{\"Description\":\"Access for test-user\",\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index/*/*\"],\"Permission\":[\"aoss:*\"]}, {\"ResourceType\":\"collection\",\"Resource\":[\"collection/my-collection\"],\"Permission\":[\"aoss:*\"]}], \"Principal\":[\"arn:aws:iam::${AWS::AccountId}:user/test-user\"]}]" } }

YAML

Description: 'OpenSearch Serverless access policy template' Resources: TestAccessPolicy: Type: 'AWS::OpenSearchServerless::AccessPolicy' Properties: Name: test-access-policy Type: data Description: Access policy for my-collection Policy: !Sub >- [{"Description":"Access for test-user","Rules":[{"ResourceType":"index","Resource":["index/*/*"],"Permission":["aoss:*"]}, {"ResourceType":"collection","Resource":["collection/my-collection"],"Permission":["aoss:*"]}], "Principal":["arn:aws:iam::${AWS::AccountId}:user/test-user"]}]