Syntax Properties Return values Examples

AWS::OpenSearchServerless::AccessPolicy

Creates a data access policy for OpenSearch Serverless. Access policies limit access to collections and the resources within them, and allow a user to access that data irrespective of the access mechanism or network source. For more information, see Data access control for Amazon OpenSearch Serverless.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::OpenSearchServerless::AccessPolicy",
  "Properties" : {
      "Description" : String,
      "Name" : String,
      "Policy" : String,
      "Type" : String
    }
}

YAML


Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
  Description: String
  Name: String
  Policy: String
  Type: String

Properties

Description

The description of the policy.

Required: No

Type: String

Minimum: 1

Maximum: 1000

Update requires: No interruption

Name

The name of the policy.

Required: Yes

Type: String

Pattern: ^[a-z][a-z0-9-]{2,31}$

Minimum: 3

Maximum: 32

Update requires: Replacement

Policy

The JSON policy document without any whitespaces.

Required: Yes

Type: String

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]+

Minimum: 1

Maximum: 20480

Update requires: No interruption

Type

The type of access policy. Currently the only option is data.

Required: Yes

Type: String

Allowed values: data

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the access policy. For more information about using the Ref function, see Ref.

Examples

Create an access policy that allows access to all collections and indexes

The following example specifies an OpenSearch Serverless access policy that provides full access to the resources within my-collection to the user test-user.

For a complete sample policy that creates network, encryption, and access policies, as well as a matching collection, see Using AWS CloudFormation to create Amazon OpenSearch Serverless collections in the Amazon OpenSearch Service Developer Guide.

JSON


{
   "Description":"OpenSearch Serverless access policy template",
   "Resources":{
      "TestAccessPolicy":{
         "Type":"AWS::OpenSearchServerless::AccessPolicy",
         "Properties":{
            "Name":"test-access-policy",
            "Type":"data",
            "Description":"Access policy for
                my-collection",
            "Policy":{
               "Fn::Sub":"[{\"Description\":\"Access for
                test-user\",\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index/*/*\"],\"Permission\":[\"aoss:*\"]},
                {\"ResourceType\":\"collection\",\"Resource\":[\"collection/my-collection\"],\"Permission\":[\"aoss:*\"]}],
                \"Principal\":[\"arn:aws:iam::${AWS::AccountId}:user/test-user\"]}]"
            }
         }

YAML


Description: 'OpenSearch Serverless access policy template'
  Resources:
  TestAccessPolicy:
    Type: 'AWS::OpenSearchServerless::AccessPolicy'
    Properties:
      Name: test-access-policy
      Type: data
      Description: Access policy for my-collection
      Policy:
        !Sub >-
         [{"Description":"Access for
         test-user","Rules":[{"ResourceType":"index","Resource":["index/*/*"],"Permission":["aoss:*"]},
         {"ResourceType":"collection","Resource":["collection/my-collection"],"Permission":["aoss:*"]}],
         "Principal":["arn:aws:iam::${AWS::AccountId}:user/test-user"]}]

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon OpenSearch Serverless

AWS::OpenSearchServerless::Collection