--- Title: Configure access URL Source: https://company-skill.com/p/opensearch/opensearch-configure-access Language: en Description: You need to securely access Alibaba Cloud OpenSearch services, either by managing long-term credentials and network policies (e.g., for teams or infrastructure), or by embedding short-lived… --- # Configure access Part of **OpenSearch**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You need to securely access Alibaba Cloud OpenSearch services, either by managing long-term credentials and network policies (e.g., for teams or infrastructure), or by embedding short-lived authentication tokens directly in application code. - How to manage API keys for OpenSearch? - How to grant RAM user permissions? ## Decision Tree Pick the best path for your situation: - **If** you are a system administrator configuring **RAM user**, **API keys**, or **VPC network policies** (e.g., handling CIDR overlap via Cloud Enterprise Network) → Use (go to *opensearch/opensearch-security*) - **If** you are a developer integrating **Authorization: Bearer YOUR_API_KEY** or **STS token** (from **AssumeRole**) into code that calls **opensearch-cn-hangzhou.aliyuncs.com** → Use API (go to *opensearch/opensearch-security*) - **If** your application requires automated credential rotation, CI/CD integration, or uses **DASHSCOPE_API_KEY** in environment variables → Use API - **Otherwise (default)** → Start with **** if you lack coding experience or need to manage team access; otherwise use the API path for programmatic use. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | RAMAPIVPC | medium | No | No | API | `opensearch/guide/opensearch-security` | | API | STS | medium | Yes | Yes | STS15 | `opensearch/api/opensearch-security` | ## Path Details ### Path 1: Console / Dashboard **Best For**: RAMAPIVPC **Brief Description**: This approach uses the **Console** to manage OpenSearch security via graphical interfaces. You can create **API keys**, set up **RAM user** accounts with fine-grained permissions, and configure **AccessKey** pairs. It also supports advanced networking like **VPC NAT Gateway** and **Cloud Enterprise Network (CEN)** to resolve overlapping CIDRs. **Key technical facts**: - Billing: API keyRAMVPC NATCENOpenSearch ### Path 2: API **Best For**: STS **Brief Description**: This method authenticates OpenSearch requests via HTTP headers using **Authorization: Bearer** with an **API key** (e.g., from **DASHSCOPE_API_KEY**) or temporary credentials from **AssumeRole**, which yields an **accessKeyId**, **accessKeySecret**, and **securityToken**. Requests target endpoints like **opensearch-cn-hangzhou.aliyuncs.com** and must handle errors such as **401 Unauthorized** or **403 Forbidden**. **Key technical facts**: - Billing: API10000.001/0.002/ - Auth method: Bearer Token via Authorization header STSaccessKeyId + accessKeySecret + securityToken **When to Use**: - OpenSearch API ## FAQ Q: Which path should I start with? A: If you’re setting up team access, managing **RAM user** permissions, or resolving VPC issues like CIDR overlap, start with the Console path. If you’re writing code that calls OpenSearch (e.g., using **DASHSCOPE_API_KEY** or **STS token**), use the API path. Q: What if I need to call OpenSearch from a script but chose the Console path? A: You’ll hit a dead end — the Console path doesn’t support automation. You cannot script **API keys** creation or inject credentials into code without manual copy-paste, and there’s no way to generate **securityToken** via UI alone. Q: What if I’m a developer using **opensearch-cn-hangzhou.aliyuncs.com** but chose the Console path for authentication? A: You’ll get **401 Unauthorized** or **403 Forbidden** errors because the Console path doesn’t provide programmatic ways to include **Authorization: Bearer** tokens or **STS token** in HTTP requests — those require code-level integration. Q: Can I use permanent **AccessKey** pairs with the API path? A: No — the REST API only supports **Authorization: Bearer YOUR_API_KEY** (from **DASHSCOPE_API_KEY**) or **STS token** from **AssumeRole**. Permanent **AccessKey** pairs are only usable via SDKs or CLI, not raw REST calls. Q: Does the Console path support **STS token**? A: No — **STS token** and **AssumeRole** are exclusively for programmatic use. The Console path manages long-term credentials like **API keys** and **RAM user AccessKey**, not temporary tokens. Q: What happens if my **STS token** expires during a long-running job? A: Subsequent requests will fail with **401 Unauthorized**. You must implement token refresh logic by re-calling **AssumeRole** before expiration — this is only feasible in the API path. Q: Can I fix VPC CIDR overlap using the API path? A: No — VPC, NAT Gateway, and CEN configuration are infrastructure tasks only available in the Console. The API path handles request-level auth, not network topology. ## Related queries configure OpenSearch security, set up OpenSearch access control, manage API keys for OpenSearch, grant RAM user permissions, handle VPC CIDR overlap, authenticate with STS token, OpenSearch API key setup, OpenSearch RAM authorization, OpenSearch VPC access, OpenSearch security config, how to secure --- Part of [OpenSearch](https://company-skill.com/p/opensearch.md) · https://company-skill.com/llms.txt