DaaS / Products / Application with Transactional DB and Search Backend

Application with Transactional DB and Search Backend

A developer building an application (e.g., e-commerce or content platform) uses RDS as the primary transactional database and OpenSearch as the search/analytics engine, and needs to configure access control and credentials for both services as part of the same infrastructure setup.

Products involved

Scenario

Developers building e-commerce or content platforms use ApsaraDB RDS for ACID-compliant transactional workloads and Alibaba Cloud OpenSearch for low-latency full-text search and analytics. This guide shows how to provision and secure access credentials for both services within a single VPC-bound infrastructure setup, ensuring least-privilege access and unified credential management.

Integration steps

Create RDS Application Account: Provision a dedicated database account with read/write privileges for your transactional schema.

``bash aliyun rds CreateAccount --DBInstanceId rm-uf6wjk5xxxxxx --AccountName app_rw --AccountPassword 'SecurePass123!' --AccountType Normal aliyun rds GrantAccountPrivilege --DBInstanceId rm-uf6wjk5xxxxxx --AccountName app_rw --DBName ecommerce_db --AccountPrivilege ReadWrite ``

Configure RAM User for OpenSearch: Create a RAM user with scoped OpenSearch permissions instead of using root credentials.

``bash aliyun ram CreateUser --UserName opensearch-app aliyun ram AttachPolicyToUser --PolicyName AliyunOpenSearchReadOnlyAccess --UserName opensearch-app ``

Generate OpenSearch API Key: Bind a programmatic API key to your OpenSearch instance for application-level authentication.

``bash curl -X POST "https://opensearch.cn-hangzhou.aliyuncs.com/v4/openapi/instances/os-xxxxx/api-keys" \ -H "Authorization: Bearer <STS_TOKEN>" \ -d '{"name": "app-search-key", "description": "App search access", "permissions": ["read", "write"]}' ``

Enforce VPC & Whitelist Alignment: Ensure both instances share the same VPC/vSwitch. Add your application’s security group ID to the RDS SecurityIPList and OpenSearch NetworkConfig.
Inject Credentials into Runtime: Store the RDS password in Alibaba Cloud KMS and pass the OpenSearch API key via environment variables (OPENSEARCH_API_KEY). Configure your ORM and search client to use these values at startup.

Architecture

RDS acts as the authoritative system of record, handling synchronous CRUD operations and enforcing relational constraints. Application writes trigger asynchronous data synchronization (via Alibaba Cloud DTS or application-level CDC) into OpenSearch indices. OpenSearch handles high-concurrency search queries, aggregations, and analytics, returning results to the application without impacting RDS transactional throughput.

Prerequisites

Active Alibaba Cloud account with billing enabled
Provisioned ApsaraDB RDS instance and OpenSearch instance in the same region
Shared VPC and vSwitch for both services
RAM user with AliyunRDSFullAccess and AliyunOpenSearchFullAccess policies
Alibaba Cloud CLI configured (aliyun configure)

Common pitfalls

VPC/Security Group Mismatch: Failing to whitelist the app’s security group on both RDS and OpenSearch causes ConnectionRefused or Timeout errors.
Over-Scoped RAM Policies: Attaching AliyunOpenSearchFullAccess instead of a least-privilege policy exposes cluster management endpoints to the application runtime.
Credential Rotation Gaps: Hardcoding RDS passwords or OpenSearch API keys breaks deployments when secrets expire; always integrate with KMS or Secrets Manager.
Sync Latency Misalignment: Assuming real-time consistency between RDS and OpenSearch leads to stale search results; implement retry logic or read-after-write routing for critical flows.

Typical questions

set up RDS and OpenSearch for my app
configure database and search access control
application backend with RDS and OpenSearch
为应用配置RDS和OpenSearch访问权限
manage RDS accounts and OpenSearch API keys
RDS OpenSearch 应用后端搭建
grant RAM user access to RDS and OpenSearch
搭建带搜索功能的数据库应用