---
Title: Manage access
URL Source: https://company-skill.com/p/es/es-manage-access
Language: en
Description: You want to securely authenticate and authorize access to your Alibaba Cloud Elasticsearch (OpenSearch) service, whether through code, CLI, or console, using appropriate credential types and…
---

# Manage access

Part of **Elasticsearch**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You want to securely authenticate and authorize access to your Alibaba Cloud Elasticsearch (OpenSearch) service, whether through code, CLI, or console, using appropriate credential types and permission models.

- How do I secure API calls to OpenSearch?

- Can I manage credentials via the console?
- RAM Elasticsearch 

## Decision Tree

Pick the best path for your situation:

- **If** your application runs on Alibaba Cloud ECS or Function Compute and requires **temporary credentials** via STS → Use API STS (go to *es/es-security*)
- **If** you are a solo developer needing a **long-term AccessKey** for local debugging or simple scripts → Use AccessKey (go to *es/es-security*)
- **If** you operate in an enterprise environment and must assign **minimum required permissions** to different team roles following the **least privilege principle** → Use RAM (go to *es/es-instance*)
- **Otherwise (default)** → Start with ** RAM **, as it provides the strongest security foundation for production environments and supports RBAC via **RAM policy** assignments.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API STS | medium | Yes | Yes | Auth uses Bearer Token or **temporary credentials**; available in cn-hangzhou, cn-shanghai, cn-beijing | `es/api/es-security` |
| AccessKey | low | No | No | Uses **AccessKey** pair stored in **environment variables**; free of charge | `es/guide/es-security` |
| RAM | medium | No | No | Requires **Create User**, **Programmatic Access**, and **Add Permissions** with policies like **AliyunOpenSearchFullAccess** | `es/guide/es-instance` |

## Path Details

### Path 1: API STS 

**Brief Description**: This approach uses the Elasticsearch Security API with **Bearer Token** in the Authorization header or integrates **temporary credentials** from Alibaba Cloud STS. It requires a **RAM user** with appropriate **RAM policy** permissions (e.g., `opensearch:Search`) and, for Java, the `open-search-sdk>=1.0.0`.

**Key technical facts**:
- Billing: API calls are billed per request; free tier resets monthly.
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing

**Known Limitations**:
- Requires code implementation for authentication handling
- STS tokens are temporary and require AssumeRole operation to refresh
- API keys must be associated with RAM policies granting specific Elasticsearch actions (e.g., opensearch:Search)
- No console-based management of credentials in this path

### Path 2: AccessKey 

**Brief Description**: This method guides you through the Alibaba Cloud **console** to navigate to **Users**, select a **RAM user**, and use **Create AccessKey** to generate a key pair. The secret is stored in **environment variables** (e.g., `ALIBABA_CLOUD_ACCESS_KEY_ID`) for local use.

**Key technical facts**:
- Billing: Creating AccessKeys and using RAM users is free of charge.

### Path 3: RAM 

**Brief Description**: Using the Alibaba Cloud **console**, you perform **Create User**, set **User Name** and **Access Type** to **Programmatic Access**, then use **Add Permissions** to attach policies such as **AliyunOpenSearchFullAccess** or custom policies defining **minimum required permissions**.

**Key technical facts**:
- Billing: RAM user management and AccessKey creation are free of charge.

- 1,000RAM

## FAQ

Q: Which path should I start with?
A: If you're in a team or production setting, start with ** RAM ** to enforce the **least privilege principle**. Solo developers testing locally can begin with ** AccessKey **.

Q: What if I need to run my app on Function Compute but used the AccessKey console method?
A: You’ll be forced to embed long-term secrets in your function code or config, violating security best practices. Instead, use **temporary credentials** via the API/STS path, which integrates natively with Function Compute’s execution role.

Q: What if I’m in an enterprise team but chose the simple AccessKey method?
A: You’ll lack role separation—everyone shares the same **RAM user**’s full permissions, making audit and least-privilege enforcement impossible. You’ll also hit the 2-**AccessKey** limit per **RAM user** quickly.

Q: Can I use AliyunOpenSearchFullAccess for all users?
A: While **AliyunOpenSearchFullAccess** simplifies setup, it violates the **minimum required permissions** principle. For production, define custom **RAM policy** documents granting only necessary actions like `opensearch:Search` or `opensearch:Write`.

Q: Do all paths support the same regions?
A: Only the API/STS path explicitly lists supported regions (**cn-hangzhou, cn-shanghai, cn-beijing**). Console-based paths (AccessKey and RAM user creation) are global Alibaba Cloud features and work in all regions—but always verify OpenSearch instance availability separately.

Q: Is there a way to automate RAM user creation with permissions?
A: Not via these console paths—they are manual. For automation, combine the **API/STS path** with Infrastructure-as-Code (e.g., Terraform) to provision **RAM user** and **RAM policy** resources programmatically.

## Related queries

manage elasticsearch access, secure opensearch api, configure access key, use sts token, assign ram permissions, elasticsearch security setup, opensearch authentication, ram user for elasticsearch, temporary credentials elasticsearch, long-term accesskey, console accesskey setup, programmatic access

---
Part of [Elasticsearch](https://company-skill.com/p/es.md) · https://company-skill.com/llms.txt