# opensearch-security

Part of **OPENSEARCH**

# OpenSearch Security and Access Control Console Guide

## Operations Overview

| Operation | Console Entry | Prerequisites | Description |
|----------|---------------|---------------|-------------|
| Manage API Keys | Console > AI Search Open Platform > API keys | An AI Search Open Platform account with an active workspace | Create, view, edit, disable, enable, or delete API keys used for authenticating API/SDK requests. |
| Create RAM User and Assign Permissions | Console > Resource Access Management (RAM) > Users > Create User | Alibaba Cloud account with root access; understanding of required permissions | Create a RAM user and assign system or custom policies for fine-grained OpenSearch access control. |
| Configure Access Key Environment | Console > Security > RAM > Users > Create RAM User | Alibaba Cloud account; RAM user created with appropriate permissions; AccessKey ID and secret | Set up environment variables using AccessKey credentials for secure programmatic API access. |
| Access OpenSearch Instance from Overlapping VPC | VPC > Route Tables > Create Route Table | OpenSearch instance in a VPC; another VPC with overlapping CIDR; permissions to create VPC resources | Use VPC peering and NAT Gateway to access OpenSearch when VPC CIDR blocks overlap. |
| Connect VPCs via CEN | Console > Cloud Enterprise Network > CEN Instances | VPCs with non-overlapping CIDR blocks; OpenSearch instance in a VPC; CEN permissions | Use Cloud Enterprise Network (CEN) with transit routers to connect multiple VPCs for OpenSearch access. |
| Enable Cross-VPC Access with Conflicting CIDR | VPC Console > VPCs > [Select vpc2] > Secondary IPv4 CIDR Block > Add Secondary IPv4 CIDR Block | Two VPCs with overlapping CIDR blocks; OpenSearch instance in one VPC; secondary CIDR available | Combine CEN and VPC NAT Gateway to enable cross-VPC communication despite CIDR conflicts. |
| Configure DSW Network Access to OpenSearch | Platform for AI (PAI) > Data Science Workshop (DSW) | OpenSearch Retrieval Engine Edition instance created; IP address known; PAI console access | Configure DSW instance network settings (VPC, vSwitch, security group, IP) to access OpenSearch. |

## Step-by-Step Instructions

### Manage API Keys

**Navigation**: Console > AI Search Open Platform > API keys

**Prerequisites**:
- An AI Search Open Platform account with an active workspace

1. Log on to the AI Search Open Platform console and select a region  
   - Element: **AI Search Open Platform console** (link) — top navigation bar  
   - Notes: Ensure you are in the correct region where your workspace exists.

2. Choose API keys from the left navigation bar  
   - Element: **API keys** (menu) — left navigation panel  
   - Notes: The API Keys page displays a list of existing keys.

3. Click Create API Key  
   - Element: **Create API Key** (button) — main content area  
   - Notes: A pop-up window appears showing the new API key.

4. Copy the API key value or download it as a CSV file  
   - Element: **Copy** (button) — pop-up window  
   - Notes: The API key is displayed only once after creation. Save it securely.

5. Confirm that you have saved the API key  
   - Element: **I have saved my API KEY.** (button) — pop-up window  
   - Notes: This closes the pop-up and returns you to the API Keys list.

6. Edit the API key description  
   - Element: **Edit** (button) — API Keys list  
   - Notes: Enter a descriptive name like 'prod-inference' or 'ci-pipeline'.

7. View the API key value  
   - Element: **View** (button) — API Keys list  
   - Notes: Only possible if the key has not been rotated or deleted.

8. Disable or enable the API key  
   - Element: **Disable / Enable** (button) — API Keys list  
   - Notes: Disabling prevents the key from being used in API calls.

9. Delete the API key  
   - Element: **Delete** (button) — API Keys list  
   - Notes: Once deleted, the key cannot be recovered.

### Create RAM User and Assign Permissions

**Navigation**: Console > Resource Access Management (RAM) > Users > Create User

**Prerequisites**:
- Alibaba Cloud account with root access
- Understanding of required permissions for team members or applications

1. Navigate to the RAM console and select Users from the left navigation panel  
   - Element: **Users** (menu) — left navigation panel  

2. Click the Create User button in the top-right corner  
   - Element: **Create User** (button) — top-right corner  

3. Enter a username and choose the access type (programmatic access or console access)  
   - Element: **Username** (text_input) — main content area  
   - Notes: Programmatic access requires API keys; console access requires password setup.

4. Select a policy type: System policy or Custom policy  
   - Element: **Policy Type** (dropdown) — main content area  
   - Notes: System policies are predefined; custom policies allow granular control.

5. If selecting a system policy, choose one from the list of available policies  
   - Element: **Select Policy** (dropdown) — main content area  
   - Notes: Available policies include 'Manage permissions for OpenSearch Retrieval Engine Edition', 'Read-only access to OpenSearch Retrieval Engine Edition', and 'View/Add alert permissions'.

6. If creating a custom policy, click on the link to create a new policy  
   - Element: **Create a custom policy** (link) — main content area  
   - Notes: Redirects to the policy creation page where you can define actions and resources.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Username | text_input | Yes | — | The unique identifier for the RAM user |
| Access Type | radio | Yes | Console access, Programmatic access | Determines whether the user can log in via web console or use API keys |
| Policy Type | radio | Yes | System policy, Custom policy | Specifies whether to use a predefined policy or create a custom one |
| Select Policy | dropdown | No | Manage permissions for OpenSearch Retrieval Engine Edition, Read-only access to OpenSearch Retrieval Engine Edition, View/Add alert permissions | Choose a system policy that matches the user's required permissions |

### Configure Access Key Environment

**Navigation**: Console > Security > RAM > Users > Create RAM User

**Prerequisites**:
- An Alibaba Cloud account
- A RAM user created with appropriate permissions
- AccessKey ID and AccessKey secret for the RAM user

1. Navigate to the RAM console and create a new RAM user  
   - Element: **Create RAM User** (button) — top-right corner  
   - Notes: Ensure the RAM user has permissions to access Elasticsearch APIs.

2. Generate an AccessKey pair for the RAM user  
   - Element: **Create AccessKey** (button) — main content area  
   - Notes: Download and securely store the AccessKey pair; it cannot be retrieved later.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| User Name | text_input | Yes | — | The name of the RAM user to be created. |
| AccessKey Type | dropdown | Yes | Programmatic Access, Console Access | Select the type of access the RAM user will have. For API usage, select Programmatic Access. |

### Access OpenSearch Instance from Overlapping VPC

**Navigation**: VPC > Route Tables > Create Route Table

**Prerequisites**:
- An OpenSearch Retrieval Engine Edition instance in a VPC
- A VPC with overlapping CIDR blocks
- Permission to create VPC resources (NAT Gateway, vSwitch, route tables)

1. Log on to the VPC Peering Connection console and select the region of the requester VPC  
   - Element: **Create vpc peering connection** (button) — top-right corner  

2. Add a secondary CIDR block to vpc2 and create a vSwitch  
   - Element: **Add Secondary IPv4 CIDR Block** (button) — VPC detail tab  

3. Go to the vSwitch page and click Create vSwitch  
   - Element: **Create vSwitch** (button) — vSwitch page  

4. Create a VPC NAT Gateway for Switch2  
   - Element: **Create VPC NAT Gateway** (button) — Navigation pane > NAT Gateway tab  

5. Configure an SNAT entry for the NAT gateway  
   - Element: **Create SNAT Entry** (button) — NAT Gateway details page > SNAT tab  

6. Create a custom route table for Switch2  
   - Element: **Create Route Table** (button) — Route Tables page  

7. Add a custom route entry for 100.103.22.210 with next hop as NAT gateway  
   - Element: **Add Route Entry** (button) — System route table for vpc2  

8. Add a route entry for 100.103.22.210 with next hop as vpc peering connection in the custom route table for Switch2  
   - Element: **Add Route Entry** (button) — Custom route table (bj2switch_routing)  

9. Add a custom route entry for 192.168.2.27 (NAT IP) with next hop as vpc peering connection in vpc1's system route table  
   - Element: **Add Route Entry** (button) — System route table for vpc1  

### Connect VPCs via CEN

**Navigation**: Console > Cloud Enterprise Network > CEN Instances

**Prerequisites**:
- VPCs with non-overlapping CIDR blocks
- OpenSearch Retrieval Engine Edition instance created in a VPC
- Alibaba Cloud account with permissions to create CEN instances and transit routers

1. Log on to the CEN console and create a CEN instance  
   - Element: **Create CEN Instance** (button) — top-right corner of the CEN dashboard  

2. Create a transit router in the desired region  
   - Element: **Create Transit Router** (button) — main content area  

3. Create connections for VPCs on the transit router  
   - Element: **Attach Instance** (button) — Actions column of the transit router details page  
   - Notes: Select the correct VPC and region; configure vSwitches in each zone for high availability.

4. Create an inter-region connection between transit routers in different regions  
   - Element: **Attach Instance** (button) — Basic Information &gt; Transit Router tab  
   - Notes: Set 'Instance Type' to 'Cross-Region', select both regions, and specify bandwidth.

5. Add route entries in the VPC route tables  
   - Element: **Add Route Entry** (button) — Custom Route tab of the route table  
   - Notes: Set destination CIDR to the OpenSearch instance's IP address and next hop to the transit router.

6. Add a route entry in the transit router's route table  
   - Element: **Create Route Entry** (button) — Route Table tab of the transit router  
   - Notes: Set the next hop to the connection instance corresponding to the source VPC.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Instance Type | dropdown | Yes | VPC, Cross-Region | Specifies the type of network instance to connect. |
| Region | dropdown | Yes | China (Shanghai), China (Qingdao) | The region where the network instance is located. |
| Account | dropdown | Yes | Same Account | The Alibaba Cloud account to which the network instance belongs. |
| Connection Name | text_input | Yes | — | A name for the network connection. |
| Network Instance | dropdown | Yes | — | The VPC to be connected to the transit router. |
| vSwitch | checkbox | Yes | China (Shanghai) Zone F: Select vSwitch 1, China (Shanghai) Zone G: Select vSwitch 2, China (Qingdao) Zone H: Select vSwitch 1, China (Qingdao) Zone I: Select vSwitch 2 | Select one or more vSwitches in different zones for zone-disaster recovery. |
| Bandwidth | number_input | Yes | — | Specify the bandwidth value for the inter-region connection in Mbit/s. |

### Enable Cross-VPC Access with Conflicting CIDR

**Navigation**: VPC Console > VPCs > [Select vpc2] > Secondary IPv4 CIDR Block > Add Secondary IPv4 CIDR Block

**Prerequisites**:
- Two VPCs with overlapping CIDR blocks (e.g., both 10.0.0.0/8)
- An OpenSearch instance attached to vpc1
- Access to the VPC console and CEN console
- A secondary CIDR block available for assignment to vpc2

1. Log on to the VPC console and find the ID of vpc2  
   - Element: **vpc2** (link) — list of VPCs  

2. Go to the 'IPv4 CIDR Block' tab and click 'Add Secondary IPv4 CIDR Block'  
   - Element: **Add Secondary IPv4 CIDR Block** (button) — top of the IPv4 CIDR Block tab  

3. Select a secondary CIDR block (e.g., 172.16.0.0/12) and confirm  
   - Element: **Confirm** (button) — bottom of the dialog  

4. Create a vSwitch for the secondary CIDR block  
   - Element: **Create vSwitch** (button) — vSwitch page  

5. Set the VPC to vpc2 and select the new secondary CIDR block  
   - Element: **vpc2** (dropdown) — vSwitch creation form  

6. Click 'Create' to finalize the vSwitch  
   - Element: **Create** (button) — bottom of the form  

7. Navigate to VPC NAT gateway section and click 'Create VPC NAT Gateway'  
   - Element: **Create VPC NAT Gateway** (button) — left navigation pane under 'NAT Gateway'  

8. Select vpc2 and the zone where VSwitch_B2 is located, then confirm  
   - Element: **Submit** (button) — bottom of the form  

9. On the NAT gateway details page, go to the SNAT tab and click 'Create SNAT Entry'  
   - Element: **Create SNAT Entry** (button) — SNAT tab  

10. Select a NAT IP address (e.g., 192.168.0.13) and confirm  
    - Element: **Confirm** (button) — bottom of the dialog  

11. Create a custom route table and associate it with VSwitch_B2  
    - Element: **Create** (button) — Route Table page  

12. In the system route table of vpc2, add a custom route entry for the OpenSearch instance IP (100.103.87.165) with next hop as the NAT gateway  
    - Element: **Add Route Entry** (button) — system route table  

13. In the custom route table (vpc2_routing), add a route entry for 100.103.87.165 with next hop as the transit router connection for vpc2  
    - Element: **Add Route Entry** (button) — custom route table  

14. In the CEN console, add a route entry for 100.103.87.165 with next hop as the transit router connection for vpc1  
    - Element: **Add Route Entry** (button) — transit router route table  

15. In the system route table of vpc1, add a custom route entry for the NAT IP (192.168.0.13) with next hop as the transit router connection for vpc1  
    - Element: **Add Route Entry** (button) — system route table  

16. In the CEN console, add a route entry for the NAT IP (192.168.0.13) with next hop as the transit router connection for vpc2  
    - Element: **Add Route Entry** (button) — transit router route table  

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| VPC | dropdown | Yes | vpc2 | The VPC to which the NAT gateway will be attached. |
| Zone | dropdown | Yes | — | The availability zone where the NAT gateway will be created. |
| NAT IP | text_input | Yes | — | The public IP address assigned to the NAT gateway for outbound traffic. |
| Destination CIDR | text_input | Yes | — | The destination network range for the route entry. |
| Next Hop | dropdown | Yes | NAT Gateway, Transit Router Connection | The device or service that will handle the traffic for this route. |

### Configure DSW Network Access to OpenSearch

**Navigation**: Platform for AI (PAI) > Data Science Workshop (DSW)

**Prerequisites**:
- An OpenSearch Retrieval Engine Edition instance already created
- Access to the PAI console with appropriate permissions
- IP address of the OpenSearch instance obtained from its details page

1. Log on to the Platform for AI (PAI) console and select the workspace  
   - Element: **Platform for AI (PAI)** (link) — top navigation bar  

2. Click Data Science Workshop (DSW) in the left navigation pane  
   - Element: **Data Science Workshop (DSW)** (menu) — left navigation panel  

3. Click the ID of the DSW instance to configure  
   - Element: **Instance ID** (link) — instance list  

4. Click the configuration button in the upper-right corner  
   - Element: **Configuration** (button) — upper-right corner  
   - Notes: The button label appears as 'Configure' or similar.

5. Select the VPC of the OpenSearch instance in the VPC field  
   - Element: **VPC** (dropdown) — Network Configuration section  

6. Select or create a security group for the DSW instance  
   - Element: **Security Group** (dropdown) — Network Configuration section  

7. Select the corresponding vSwitch for the OpenSearch instance  
   - Element: **vSwitch** (dropdown) — Network Configuration section  

8. Enter the IP address of the OpenSearch instance in the custom CIDR block text box  
   - Element: **Custom CIDR Block** (text_input) — Network Configuration section  
   - Notes: The input field appears after selecting 'Custom'. Example: 100.103.22.210

9. Click Yes to confirm the configuration change  
   - Element: **Yes** (button) — confirmation dialog  

10. Stop the DSW instance, then start it again to apply changes  
    - Element: **Stop** (button) — upper-right corner  
    - Notes: After stopping, click 'Start' to restart the instance with new network settings.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| VPC | dropdown | Yes | — | Select the Virtual Private Cloud where the OpenSearch Retrieval Engine Edition instance resides. |
| Security Group | dropdown | Yes | Select existing, Create new | Choose an existing security group or create a new one to control inbound/outbound traffic for the DSW instance. |
| vSwitch | dropdown | Yes | — | Select the vSwitch that corresponds to the OpenSearch instance's network zone. |
| Custom CIDR Block | text_input | Yes | — | Enter the IP address of the OpenSearch instance (e.g., 100.103.22.210) to allow direct access. |

## FAQ

Q: Where do I find the API key management page?
A: Navigate to the AI Search Open Platform console, select your region, and click **API keys** in the left navigation panel.

Q: What happens if I lose my API key after creation?
A: The API key is displayed only once. If lost, you must create a new key and update all services using the old key.

Q: Can I modify a RAM user’s permissions after creation?
A: Yes. Go to the RAM console > Users, find the user, and click **Add Permissions** or **Remove Permissions** to adjust policies.

Q: Why can’t my DSW instance connect to OpenSearch even after configuration?
A: Ensure the DSW instance is stopped and restarted after network changes, and verify that the OpenSearch IP is correctly entered in the **Custom CIDR Block** field.

Q: Do I need to pay extra for RAM users or API keys?
A: No. Creating RAM users, AccessKeys, and API keys is free. You are only billed for the underlying OpenSearch or other cloud resource usage.

## Pricing & Billing

### Billing Model
- API key management, RAM user creation, and permission assignment are **free**.
- VPC NAT Gateway and Cloud Enterprise Network (CEN) resources incur hourly or per-minute charges.
- OpenSearch Retrieval Engine Edition is billed per instance hour.

### Price Reference
| Tier | Input Price | Output Price | Other Price |
|------|-------------|--------------|-------------|
| OpenSearch Retrieval Engine Edition | 0.002 / | 0.002 / | — |
| Enterprise Edition Transit Router | 0.002 / | 0.002 / | — |
| Inter-region Connection | 0.008 / | 0.008 / | Data transfer charges apply based on actual usage |
| CEN Instance | 0.002 / | — | — |
| VPC NAT Gateway | 0.002 / | 0.002 / | — |

### Free Tier
- No explicit free tier for networking components (CEN, NAT Gateway).
- RAM users, AccessKeys, and API keys are free to create and manage.

### Billing Notes
- CEN inter-region connections are billed per minute with a minimum charge of 1 minute.
- OpenSearch instance billing is based on runtime duration, with a minimum unit of 1 hour.
- Data transfer across regions via CEN incurs additional data transfer fees.
- RAM user and API key operations do not generate direct charges; costs arise only from the resources they access.