Skip to main content

OpenSearch permissions

The service principal (IAM role or OpenSearch internal user) requires the following permissions to manage index templates, create physical indices, and write documents.

Cluster permissions

PermissionPurpose
indices:admin/index_template/putCreate or update index templates on startup.
indices:admin/aliases/getRequired at cluster level for alias resolution.
indices:data/write/bulkWrite documents via the bulk API.

Index permissions

These permissions must be granted on the pattern * so that the service can operate on all its index patterns without needing per-index configuration.

PermissionPurpose
indices:admin/createCreate new physical indices on first startup.
indices:admin/aliasesManage index aliases (set write alias on initial index creation).
indices:admin/aliases/existsCheck whether an alias exists before creating the initial index.
indices:admin/aliases/getResolve which physical indices are behind a write alias.
indices:admin/mappings/getRead the current mapping of a physical index to check the schema version.
indices:admin/mapping/putUpdate the mapping of a physical index when a new minor version is detected.
indices:data/write/bulk*Write documents via the bulk API (wildcard form).
indices:data/write/bulkWrite documents via the bulk API.
indices:data/write/indexIndex (upsert) individual documents.
indices:data/write/deleteDelete individual documents.
indices:data/read/getRead individual documents (used for validation).
indices:data/read/searchExecute search queries (used for validation).

OpenSearch security role JSON

{
"cluster_permissions": [
"indices:admin/index_template/put",
"indices:admin/aliases/get",
"indices:data/write/bulk"
],
"index_permissions": [
{
"index_patterns": ["*"],
"allowed_actions": [
"indices:admin/create",
"indices:admin/aliases",
"indices:admin/aliases/get",
"indices:admin/mappings/get",
"indices:admin/mapping/put",
"indices:data/write/bulk*",
"indices:data/write/bulk",
"indices:data/write/index",
"indices:data/write/delete",
"indices:data/read/get",
"indices:data/read/search"
]
}
]
}