Actions, resources, and condition keys for Amazon OpenSearch Service - Service Authorization Reference

Actions, resources, and condition keys for Amazon OpenSearch Service

Amazon OpenSearch Service (service prefix: es) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon OpenSearch Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptInboundConnection Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request Write
AcceptInboundCrossClusterSearchConnection Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request. This permission is deprecated. Use AcceptInboundConnection instead Write
AddTags Grants permission to attach resource tags to an OpenSearch Service domain Tagging

domain*

aws:RequestTag/${TagKey}

aws:TagKeys

AssociatePackage Grants permission to associate a package with an OpenSearch Service domain Write

domain*

CancelElasticsearchServiceSoftwareUpdate Grants permission to cancel a service software update of a domain. This permission is deprecated. Use CancelServiceSoftwareUpdate instead Write

domain*

CancelServiceSoftwareUpdate Grants permission to cancel a service software update of a domain Write

domain*

CreateDomain Grants permission to create an Amazon OpenSearch Service domain Write

domain

aws:RequestTag/${TagKey}

aws:TagKeys

CreateElasticsearchDomain Grants permission to create an OpenSearch Service domain. This permission is deprecated. Use CreateDomain instead Write

domain

aws:RequestTag/${TagKey}

aws:TagKeys

CreateElasticsearchServiceRole Grants permission to create the service-linked role required for OpenSearch Service domains that use VPC access. This permission is deprecated. OpenSearch Service creates the service-linked role for you Write
CreateOutboundConnection Grants permission to create a new cross-cluster search connection from a source domain to a destination domain Write

domain*

CreateOutboundCrossClusterSearchConnection Grants permission to create a new cross-cluster search connection from a source domain to a destination domain. This permission is deprecated. Use CreateOutboundConnection instead Write

domain*

CreatePackage Grants permission to add a package for use with OpenSearch Service domains Write
CreateServiceRole Grants permission to create the service-linked role required for Amazon OpenSearch Service domains that use VPC access Write
DeleteDomain Grants permission to delete an Amazon OpenSearch Service domain and all of its data Write

domain*

DeleteElasticsearchDomain Grants permission to delete an OpenSearch Service domain and all of its data. This permission is deprecated. Use DeleteDomain instead Write

domain*

DeleteElasticsearchServiceRole Grants permission to delete the service-linked role required for OpenSearch Service domains that use VPC access. This permission is deprecated. Use the IAM API to delete service-linked roles Write
DeleteInboundConnection Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection Write
DeleteInboundCrossClusterSearchConnection Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection. This permission is deprecated. Use DeleteInboundConnection instead Write
DeleteOutboundConnection Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection Write
DeleteOutboundCrossClusterSearchConnection Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection. This permission is deprecated. Use DeleteOutboundConnection instead Write
DeletePackage Grants permission to delete a package from OpenSearch Service. The package cannot be associated with any domains Write
DescribeDomain Grants permission to view a description of the domain configuration for the specified OpenSearch Service domain, including the domain ID, service endpoint, and ARN Read

domain*

DescribeDomainAutoTunes Grants permission to view the Auto-Tune configuration of the domain for the specified OpenSearch Service domain, including the Auto-Tune state and maintenance schedules Read

domain*

DescribeDomainChangeProgress Grants permission to view detail stage progress of an OpenSearch Service domain Read

domain*

DescribeDomainConfig Grants permission to view a description of the configuration options and status of an OpenSearch Service domain Read

domain*

DescribeDomains Grants permission to view a description of the domain configuration for up to five specified OpenSearch Service domains List

domain*

DescribeElasticsearchDomain Grants permission to view a description of the domain configuration for the specified OpenSearch Service domain, including the domain ID, service endpoint, and ARN. This permission is deprecated. Use DescribeDomain instead Read

domain*

DescribeElasticsearchDomainConfig Grants permission to view a description of the configuration and status of an OpenSearch Service domain. This permission is deprecated. Use DescribeDomainConfig instead Read

domain*

DescribeElasticsearchDomains Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domains. This permission is deprecated. Use DescribeDomains instead List

domain*

DescribeElasticsearchInstanceTypeLimits Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type. This permission is deprecated. Use DescribeInstanceTypeLimits instead List
DescribeInboundConnections Grants permission to list all the inbound cross-cluster search connections for a destination domain List
DescribeInboundCrossClusterSearchConnections Grants permission to list all the inbound cross-cluster search connections for a destination domain. This permission is deprecated. Use DescribeInboundConnections instead List
DescribeInstanceTypeLimits Grants permission to view the instance count, storage, and master node limits for a given engine version and instance type List
DescribeOutboundConnections Grants permission to list all the outbound cross-cluster search connections for a source domain List
DescribeOutboundCrossClusterSearchConnections Grants permission to list all the outbound cross-cluster search connections for a source domain. This permission is deprecated. Use DescribeOutboundConnections instead List
DescribePackages Grants permission to describe all packages available to OpenSearch Service domains Read
DescribeReservedElasticsearchInstanceOfferings Grants permission to fetch Reserved Instance offerings for Amazon OpenSearch Service. This permission is deprecated. Use DescribeReservedInstanceOfferings instead List
DescribeReservedElasticsearchInstances Grants permission to fetch OpenSearch Service Reserved Instances that have already been purchased. This permission is deprecated. Use DescribeReservedInstances instead List
DescribeReservedInstanceOfferings Grants permission to fetch Reserved Instance offerings for OpenSearch Service List
DescribeReservedInstances Grants permission to fetch OpenSearch Service Reserved Instances that have already been purchased List
DissociatePackage Grants permission to disassociate a package from the specified OpenSearch Service domain Write

domain*

ESCrossClusterGet Grants permission to send cross-cluster requests to a destination domain Read

domain

ESHttpDelete Grants permission to send HTTP DELETE requests to the OpenSearch APIs Write

domain

ESHttpGet Grants permission to send HTTP GET requests to the OpenSearch APIs Read

domain

ESHttpHead Grants permission to send HTTP HEAD requests to the OpenSearch APIs Read

domain

ESHttpPatch Grants permission to send HTTP PATCH requests to the OpenSearch APIs Write

domain

ESHttpPost Grants permission to send HTTP POST requests to the OpenSearch APIs Write

domain

ESHttpPut Grants permission to send HTTP PUT requests to the OpenSearch APIs Write

domain

GetCompatibleElasticsearchVersions Grants permission to fetch a list of compatible OpenSearch and Elasticsearch versions to which an OpenSearch Service domain can be upgraded. This permission is deprecated. Use GetCompatibleVersions instead List

domain*

GetCompatibleVersions Grants permission to fetch list of compatible engine versions to which an OpenSearch Service domain can be upgraded List

domain*

GetPackageVersionHistory Grants permission to fetch the version history for a package Read
GetUpgradeHistory Grants permission to fetch the upgrade history of a given OpenSearch Service domain Read

domain*

GetUpgradeStatus Grants permission to fetch the upgrade status of a given OpenSearch Service domain Read

domain*

ListDomainNames Grants permission to display the names of all OpenSearch Service domains that the current user owns List
ListDomainsForPackage Grants permission to list all OpenSearch Service domains that a package is associated with List
ListElasticsearchInstanceTypeDetails Grants permission to list all instance types and available features for a given OpenSearch version. This permission is deprecated. Use ListInstanceTypeDetails instead List
ListElasticsearchInstanceTypes Grants permission to list all EC2 instance types that are supported for a given OpenSearch version List
ListElasticsearchVersions Grants permission to list all supported OpenSearch versions on Amazon OpenSearch Service. This permission is deprecated. Use ListVersions instead List
ListInstanceTypeDetails Grants permission to list all instance types and available features for a given OpenSearch or Elasticsearch version List
ListPackagesForDomain Grants permission to list all packages associated with the OpenSearch Service domain List

domain*

ListTags Grants permission to display all resource tags for an OpenSearch Service domain Read

domain*

ListVersions Grants permission to list all supported OpenSearch and Elasticsearch versions in Amazon OpenSearch Service List
PurchaseReservedElasticsearchInstanceOffering Grants permission to purchase OpenSearch Service Reserved Instances. This permission is deprecated. Use PurchaseReservedInstanceOffering instead Write
PurchaseReservedInstanceOffering Grants permission to purchase OpenSearch reserved instances Write
RejectInboundConnection Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request Write
RejectInboundCrossClusterSearchConnection Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request. This permission is deprecated. Use RejectInboundConnection instead Write
RemoveTags Grants permission to remove resource tags from an OpenSearch Service domain Tagging

domain*

aws:TagKeys

StartElasticsearchServiceSoftwareUpdate Grants permission to start a service software update of a domain. This permission is deprecated. Use StartServiceSoftwareUpdate instead Write

domain*

StartServiceSoftwareUpdate Grants permission to start a service software update of a domain Write

domain*

UpdateDomainConfig Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances Write

domain*

UpdateElasticsearchDomainConfig Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances. This permission is deprecated. Use UpdateDomainConfig instead Write

domain*

UpdatePackage Grants permission to update a package for use with OpenSearch Service domains Write
UpgradeDomain Grants permission to initiate upgrade of an OpenSearch Service domain to a given version Write

domain*

UpgradeElasticsearchDomain Grants permission to initiate upgrade of an OpenSearch Service domain to a specified version. This permission is deprecated. Use UpgradeDomain instead Write

domain*

Resource types defined by Amazon OpenSearch Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
domain arn:${Partition}:es:${Region}:${Account}:domain/${DomainName}

aws:ResourceTag/${TagKey}

es_role arn:${Partition}:iam::${Account}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService

aws:ResourceTag/${TagKey}

opensearchservice_role arn:${Partition}:iam::${Account}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService

aws:ResourceTag/${TagKey}

Condition keys for Amazon OpenSearch Service

Amazon OpenSearch Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access based on the tags associated with the resource String
aws:TagKeys Filters access based on the tag keys that are passed in the request ArrayOfString