Actions, resources, and condition keys for Amazon OpenSearch Service
Amazon OpenSearch Service (service prefix: es) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon OpenSearch Service
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptInboundConnection | Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request | Write | |||
| AcceptInboundCrossClusterSearchConnection | Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request. This permission is deprecated. Use AcceptInboundConnection instead | Write | |||
| AddDataSource | Grants permission to add the data source for the OpenSearch Service domain | Write | |||
| AddTags | Grants permission to attach resource tags to an OpenSearch Service domain | Tagging | |||
| AssociatePackage | Grants permission to associate a package with an OpenSearch Service domain | Write | |||
| AssociatePackages | Grants permission to associate multiple packages with an OpenSearch Service domain | Write | |||
| AuthorizeVpcEndpointAccess | Grants permission to provide access to an Amazon OpenSearch Service domain through the use of an interface VPC endpoint | Write | |||
| CancelDomainConfigChange | Grants permission to cancel a change on an OpenSearch Service domain | Write | |||
| CancelElasticsearchServiceSoftwareUpdate | Grants permission to cancel a service software update of a domain. This permission is deprecated. Use CancelServiceSoftwareUpdate instead | Write | |||
| CancelServiceSoftwareUpdate | Grants permission to cancel a service software update of a domain | Write | |||
| CreateApplication | Grants permission to create an OpenSearch Application | Write | |||
| CreateDomain | Grants permission to create an Amazon OpenSearch Service domain | Write | |||
| CreateElasticsearchDomain | Grants permission to create an OpenSearch Service domain. This permission is deprecated. Use CreateDomain instead | Write | |||
| CreateElasticsearchServiceRole | Grants permission to create the service-linked role required for OpenSearch Service domains that use VPC access. This permission is deprecated. OpenSearch Service creates the service-linked role for you | Write | |||
| CreateOutboundConnection | Grants permission to create a new cross-cluster search connection from a source domain to a destination domain | Write | |||
| CreateOutboundCrossClusterSearchConnection | Grants permission to create a new cross-cluster search connection from a source domain to a destination domain. This permission is deprecated. Use CreateOutboundConnection instead | Write | |||
| CreatePackage | Grants permission to add a package for use with OpenSearch Service domains | Write | |||
| CreateServiceRole | Grants permission to create the service-linked role required for Amazon OpenSearch Service domains that use VPC access | Write | |||
| CreateVpcEndpoint | Grants permission to create an Amazon OpenSearch Service-managed VPC endpoint | Write | |||
| DeleteApplication | Grants permission to delete an OpenSearch Application | Write | |||
| DeleteDataSource | Grants permission to delete the data source for the OpenSearch Service domain | Write | |||
| DeleteDomain | Grants permission to delete an Amazon OpenSearch Service domain and all of its data | Write | |||
| DeleteElasticsearchDomain | Grants permission to delete an OpenSearch Service domain and all of its data. This permission is deprecated. Use DeleteDomain instead | Write | |||
| DeleteElasticsearchServiceRole | Grants permission to delete the service-linked role required for OpenSearch Service domains that use VPC access. This permission is deprecated. Use the IAM API to delete service-linked roles | Write | |||
| DeleteInboundConnection | Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection | Write | |||
| DeleteInboundCrossClusterSearchConnection | Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection. This permission is deprecated. Use DeleteInboundConnection instead | Write | |||
| DeleteOutboundConnection | Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection | Write | |||
| DeleteOutboundCrossClusterSearchConnection | Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection. This permission is deprecated. Use DeleteOutboundConnection instead | Write | |||
| DeletePackage | Grants permission to delete a package from OpenSearch Service. The package cannot be associated with any domains | Write | |||
| DeleteVpcEndpoint | Grants permission to delete an Amazon OpenSearch Service-managed interface VPC endpoint | Write | |||
| DescribeDomain | Grants permission to view a description of the domain configuration for the specified OpenSearch Service domain, including the domain ID, service endpoint, and ARN | Read | |||
| DescribeDomainAutoTunes | Grants permission to view the Auto-Tune configuration of the domain for the specified OpenSearch Service domain, including the Auto-Tune state and maintenance schedules | Read | |||
| DescribeDomainChangeProgress | Grants permission to view detail stage progress of an OpenSearch Service domain | Read | |||
| DescribeDomainConfig | Grants permission to view a description of the configuration options and status of an OpenSearch Service domain | Read | |||
| DescribeDomainHealth | Grants permission to view information about domain and node health, the standby Availability Zone, number of nodes per Availability Zone, and shard count per node | Read | |||
| DescribeDomainNodes | Grants permission to view information about nodes configured for the domain and their configurations- the node id, type of node, status of node, Availability Zone, instance type and storage | Read | |||
| DescribeDomains | Grants permission to view a description of the domain configuration for up to five specified OpenSearch Service domains | List | |||
| DescribeDryRunProgress | Grants permission to describe the status of a pre-update validation check on an OpenSearch Service domain | Read | |||
| DescribeElasticsearchDomain | Grants permission to view a description of the domain configuration for the specified OpenSearch Service domain, including the domain ID, service endpoint, and ARN. This permission is deprecated. Use DescribeDomain instead | Read | |||
| DescribeElasticsearchDomainConfig | Grants permission to view a description of the configuration and status of an OpenSearch Service domain. This permission is deprecated. Use DescribeDomainConfig instead | Read | |||
| DescribeElasticsearchDomains | Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domains. This permission is deprecated. Use DescribeDomains instead | List | |||
| DescribeElasticsearchInstanceTypeLimits | Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type. This permission is deprecated. Use DescribeInstanceTypeLimits instead | List | |||
| DescribeInboundConnections | Grants permission to list all the inbound cross-cluster search connections for a destination domain | List | |||
| DescribeInboundCrossClusterSearchConnections | Grants permission to list all the inbound cross-cluster search connections for a destination domain. This permission is deprecated. Use DescribeInboundConnections instead | List | |||
| DescribeInstanceTypeLimits | Grants permission to view the instance count, storage, and master node limits for a given engine version and instance type | List | |||
| DescribeOutboundConnections | Grants permission to list all the outbound cross-cluster search connections for a source domain | List | |||
| DescribeOutboundCrossClusterSearchConnections | Grants permission to list all the outbound cross-cluster search connections for a source domain. This permission is deprecated. Use DescribeOutboundConnections instead | List | |||
| DescribePackages | Grants permission to describe all packages available to OpenSearch Service domains | Read | |||
| DescribeReservedElasticsearchInstanceOfferings | Grants permission to fetch Reserved Instance offerings for Amazon OpenSearch Service. This permission is deprecated. Use DescribeReservedInstanceOfferings instead | List | |||
| DescribeReservedElasticsearchInstances | Grants permission to fetch OpenSearch Service Reserved Instances that have already been purchased. This permission is deprecated. Use DescribeReservedInstances instead | List | |||
| DescribeReservedInstanceOfferings | Grants permission to fetch Reserved Instance offerings for OpenSearch Service | List | |||
| DescribeReservedInstances | Grants permission to fetch OpenSearch Service Reserved Instances that have already been purchased | List | |||
| DescribeVpcEndpoints | Grants permission to describe one or more Amazon OpenSearch Service-managed VPC endpoints | List | |||
| DissociatePackage | Grants permission to disassociate a package from the specified OpenSearch Service domain | Write | |||
| DissociatePackages | Grants permission to disassociate multiple packages from the specified OpenSearch Service domain | Write | |||
| ESCrossClusterGet | Grants permission to send cross-cluster requests to a destination domain | Read | |||
| ESHttpDelete | Grants permission to send HTTP DELETE requests to the OpenSearch APIs | Write | |||
| ESHttpGet | Grants permission to send HTTP GET requests to the OpenSearch APIs | Read | |||
| ESHttpHead | Grants permission to send HTTP HEAD requests to the OpenSearch APIs | Read | |||
| ESHttpPatch | Grants permission to send HTTP PATCH requests to the OpenSearch APIs | Write | |||
| ESHttpPost | Grants permission to send HTTP POST requests to the OpenSearch APIs | Write | |||
| ESHttpPut | Grants permission to send HTTP PUT requests to the OpenSearch APIs | Write | |||
| GetApplication | Grants permission to get information about an OpenSearch Application | Read | |||
| GetCompatibleElasticsearchVersions | Grants permission to fetch a list of compatible OpenSearch and Elasticsearch versions to which an OpenSearch Service domain can be upgraded. This permission is deprecated. Use GetCompatibleVersions instead | List | |||
| GetCompatibleVersions | Grants permission to fetch list of compatible engine versions to which an OpenSearch Service domain can be upgraded | List | |||
| GetDataSource | Grants permission to get the data source for the OpenSearch Service domain | Read | |||
| GetDomainMaintenanceStatus | Grants permission to retrieve the status of maintenance action for the node | Read | |||
| GetPackageVersionHistory | Grants permission to fetch the version history for a package | Read | |||
| GetUpgradeHistory | Grants permission to fetch the upgrade history of a given OpenSearch Service domain | Read | |||
| GetUpgradeStatus | Grants permission to fetch the upgrade status of a given OpenSearch Service domain | Read | |||
| ListApplications | Grants permission to list OpenSearch Applications | List | |||
| ListDataSources | Grants permission to retrieve a list of data source for the OpenSearch Service domain | List | |||
| ListDomainMaintenances | Grants permission to retrieve a list of maintenance actions for the OpenSearch Service domain | List | |||
| ListDomainNames | Grants permission to display the names of all OpenSearch Service domains that the current user owns | List | |||
| ListDomainsForPackage | Grants permission to list all OpenSearch Service domains that a package is associated with | List | |||
| ListElasticsearchInstanceTypeDetails | Grants permission to list all instance types and available features for a given OpenSearch version. This permission is deprecated. Use ListInstanceTypeDetails instead | List | |||
| ListElasticsearchInstanceTypes | Grants permission to list all EC2 instance types that are supported for a given OpenSearch version | List | |||
| ListElasticsearchVersions | Grants permission to list all supported OpenSearch versions on Amazon OpenSearch Service. This permission is deprecated. Use ListVersions instead | List | |||
| ListInstanceTypeDetails | Grants permission to list all instance types and available features for a given OpenSearch or Elasticsearch version | List | |||
| ListPackagesForDomain | Grants permission to list all packages associated with the OpenSearch Service domain | List | |||
| ListScheduledActions | Grants permission to retrieve a list of configuration changes that are scheduled for a OpenSearch Service domain | List | |||
| ListTags | Grants permission to display all resource tags for an OpenSearch Service domain | Read | |||
| ListVersions | Grants permission to list all supported OpenSearch and Elasticsearch versions in Amazon OpenSearch Service | List | |||
| ListVpcEndpointAccess | Grants permission to retrieve information about each AWS principal that is allowed to access a given Amazon OpenSearch Service domain through the use of an interface VPC endpoint | List | |||
| ListVpcEndpoints | Grants permission to retrieve all Amazon OpenSearch Service-managed VPC endpoints in the current AWS account and Region | List | |||
| ListVpcEndpointsForDomain | Grants permission to retrieve all Amazon OpenSearch Service-managed VPC endpoints associated with a particular domain | List | |||
| PurchaseReservedElasticsearchInstanceOffering | Grants permission to purchase OpenSearch Service Reserved Instances. This permission is deprecated. Use PurchaseReservedInstanceOffering instead | Write | |||
| PurchaseReservedInstanceOffering | Grants permission to purchase OpenSearch reserved instances | Write | |||
| RejectInboundConnection | Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request | Write | |||
| RejectInboundCrossClusterSearchConnection | Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request. This permission is deprecated. Use RejectInboundConnection instead | Write | |||
| RemoveTags | Grants permission to remove resource tags from an OpenSearch Service domain | Tagging | |||
| RevokeVpcEndpointAccess | Grants permission to revoke access to an Amazon OpenSearch Service domain that was provided through an interface VPC endpoint | Write | |||
| StartDomainMaintenance | Grants permission to initiate the maintenance on the node | Write | |||
| StartElasticsearchServiceSoftwareUpdate | Grants permission to start a service software update of a domain. This permission is deprecated. Use StartServiceSoftwareUpdate instead | Write | |||
| StartServiceSoftwareUpdate | Grants permission to start a service software update of a domain | Write | |||
| UpdateApplication | Grants permission to update an OpenSearch Application | Write | |||
| UpdateDataSource | Grants permission to update the data source for the OpenSearch Service domain | Write | |||
| UpdateDomainConfig | Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances | Write | |||
| UpdateElasticsearchDomainConfig | Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances. This permission is deprecated. Use UpdateDomainConfig instead | Write | |||
| UpdatePackage | Grants permission to update a package for use with OpenSearch Service domains | Write | |||
| UpdatePackageScope | Grants permission to update scope a package | Write | |||
| UpdateScheduledAction | Grants permission to reschedule a planned OpenSearch Service domain configuration change for a later time | Write | |||
| UpdateVpcEndpoint | Grants permission to modify an Amazon OpenSearch Service-managed interface VPC endpoint | Write | |||
| UpgradeDomain | Grants permission to initiate upgrade of an OpenSearch Service domain to a given version | Write | |||
| UpgradeElasticsearchDomain | Grants permission to initiate upgrade of an OpenSearch Service domain to a specified version. This permission is deprecated. Use UpgradeDomain instead | Write |
Resource types defined by Amazon OpenSearch Service
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| domain |
arn:${Partition}:es:${Region}:${Account}:domain/${DomainName}
|
|
| application |
arn:${Partition}:opensearch:${Region}:${Account}:application/${AppId}
|
|
| es_role |
arn:${Partition}:iam::${Account}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService
|
|
| opensearchservice_role |
arn:${Partition}:iam::${Account}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService
|
Condition keys for Amazon OpenSearch Service
Amazon OpenSearch Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access based on the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access based on the tags associated with the resource | String |
| aws:TagKeys | Filters access based on the tag keys that are passed in the request | ArrayOfString |
