Actions, resources, and condition keys for Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) - Service Authorization Reference

Actions, resources, and condition keys for Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)

Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) (service prefix: es ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptInboundConnection Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request Write
AcceptInboundCrossClusterSearchConnection Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request Write
AddTags Grants permission to attach resource tags to an Amazon OpenSearch domain Tagging

domain*

aws:RequestTag/${TagKey}

aws:TagKeys

AssociatePackage Grants permission to associate a package with an Amazon ES domain Write

domain*

CancelElasticsearchServiceSoftwareUpdate Grants permission to cancel elastic search software update of a domain to given version Write

domain*

CancelServiceSoftwareUpdate Grants permission to cancel OpenSearch software update of a domain to given version Write

domain*

CreateDomain Grants permission to create an Amazon OpenSearch Service domain Write

domain

aws:RequestTag/${TagKey}

aws:TagKeys

CreateElasticsearchDomain Grants permission to create an Amazon OpenSearch domain Write

domain

aws:RequestTag/${TagKey}

aws:TagKeys

CreateElasticsearchServiceRole Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access Write
CreateOutboundConnection Grants permission to create a new cross-cluster search connection from a source domain to a destination domain Write

domain*

CreateOutboundCrossClusterSearchConnection Grants permission to create a new cross-cluster search connection from a source domain to a destination domain Write

domain*

CreatePackage Grants permission to add a package for use with Amazon ES domains Write
CreateServiceRole Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access Write
DeleteDomain Grants permission to delete an Amazon OpenSearch domain and all of its data Write

domain*

DeleteElasticsearchDomain Grants permission to delete an Amazon OpenSearch domain and all of its data Write

domain*

DeleteElasticsearchServiceRole Grants permission to delete the service-linked role required for Amazon OpenSearch domains that use VPC access Write
DeleteInboundConnection Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection Write
DeleteInboundCrossClusterSearchConnection Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection Write
DeleteOutboundConnection Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection Write
DeleteOutboundCrossClusterSearchConnection Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection Write
DeletePackage Grants permission to delete a package from Amazon ES. The package must not be associated with any Amazon ES domain Write
DescribeDomain Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN Read

domain*

DescribeDomainAutoTunes Grants permission to view the AutoTune configuration of the domain for the specified Amazon OpenSearch domain, including the AutoTune state and maintenance schedules Read

domain*

DescribeDomainConfig Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain Read

domain*

DescribeDomains Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domain List

domain*

DescribeElasticsearchDomain Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN Read

domain*

DescribeElasticsearchDomainConfig Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain Read

domain*

DescribeElasticsearchDomains Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domains List

domain*

DescribeElasticsearchInstanceTypeLimits Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type List
DescribeInboundConnections Grants permission to list all the inbound cross-cluster search connections for a destination domain List
DescribeInboundCrossClusterSearchConnections Grants permission to list all the inbound cross-cluster search connections for a destination domain List
DescribeInstanceTypeLimits Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type List
DescribeOutboundConnections Grants permission to list all the outbound cross-cluster search connections for a source domain List
DescribeOutboundCrossClusterSearchConnections Grants permission to list all the outbound cross-cluster search connections for a source domain List
DescribePackages Grants permission to describe all packages available to Amazon ES domain Read
DescribeReservedElasticsearchInstanceOfferings Grants permission to fetch reserved instance offerings for OpenSearch List
DescribeReservedElasticsearchInstances Grants permission to fetch OpenSearch reserved instances already purchased by customer List
DescribeReservedInstanceOfferings Grants permission to fetch reserved instance offerings for OpenSearch List
DescribeReservedInstances Grants permission to fetch OpenSearch reserved instances already purchased by customer List
DissociatePackage Grants permission to remove a package from the specified Amazon ES domain Write

domain*

ESCrossClusterGet Grants permission to send cross-cluster requests to a destination domain Read

domain

ESHttpDelete Grants permission to send HTTP DELETE requests to the OpenSearch APIs Write

domain

ESHttpGet Grants permission to send HTTP GET requests to the OpenSearch APIs Read

domain

ESHttpHead Grants permission to send HTTP HEAD requests to the OpenSearch APIs Read

domain

ESHttpPatch Grants permission to send HTTP PATCH requests to the OpenSearch APIs Write

domain

ESHttpPost Grants permission to send HTTP POST requests to the OpenSearch APIs Write

domain

ESHttpPut Grants permission to send HTTP PUT requests to the OpenSearch APIs Write

domain

GetCompatibleElasticsearchVersions Grants permission to fetch list of compatible elastic search versions to which Amazon OpenSearch domain can be upgraded List

domain*

GetCompatibleVersions Grants permission to fetch list of compatible OpenSearch versions to which Amazon OpenSearch domain can be upgraded List

domain*

GetPackageVersionHistory Grants permission to fetch the version history for a package Read
GetUpgradeHistory Grants permission to fetch upgrade history for given OpenSearch domain Read

domain*

GetUpgradeStatus Grants permission to fetch upgrade status for given OpenSearch domain Read

domain*

ListDomainNames Grants permission to display the names of all Amazon OpenSearch domains that the current user owns List
ListDomainsForPackage Grants permission to list all Amazon ES domains that a package is associated with List
ListElasticsearchInstanceTypeDetails Grants permission to list all instance types and available features for a given OpenSearch version List
ListElasticsearchInstanceTypes Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version List
ListElasticsearchVersions Grants permission to list all supported OpenSearch versions on Amazon OpenSearch List
ListInstanceTypeDetails Grants permission to list all instance types and available features for a given OpenSearch version List
ListInstanceTypes Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version List
ListPackagesForDomain Grants permission to list all packages associated with the Amazon ES domain List

domain*

ListTags Grants permission to display all of the tags for an Amazon OpenSearch domain Read

domain*

ListVersions Grants permission to list all supported OpenSearch versions on Amazon OpenSearch List
PurchaseReservedElasticsearchInstanceOffering Grants permission to purchase OpenSearch reserved instances Write
PurchaseReservedInstanceOffering Grants permission to purchase OpenSearch reserved instances Write
RejectInboundConnection Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request Write
RejectInboundCrossClusterSearchConnection Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request Write
RemoveTags Grants permission to remove tags from Amazon OpenSearch domains Tagging

domain*

aws:TagKeys

StartElasticsearchServiceSoftwareUpdate Grants permission to start elastic search software update of a domain to given version Write

domain*

StartServiceSoftwareUpdate Grants permission to start OpenSearch software update of a domain to given version Write

domain*

UpdateDomainConfig Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances Write

domain*

UpdateElasticsearchDomainConfig Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances Write

domain*

UpdatePackage Grants permission to update a package for use with Amazon ES domains Write
UpgradeDomain Grants permission to initiate upgrade of open search domain to given version Write

domain*

UpgradeElasticsearchDomain Grants permission to initiate upgrade of elastic search domain to given version Write

domain*

Resource types defined by Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
domain arn:$ { Partition}:es:$ { Region}:$ { Account}:domain/$ { DomainName}

aws:ResourceTag/${TagKey}

es_role arn:$ { Partition}:iam::$ { Account}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService

aws:ResourceTag/${TagKey}

opensearchservice_role arn:$ { Partition}:iam::$ { Account}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService

aws:ResourceTag/${TagKey}

Condition keys for Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)

Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed in the request String