Contact UsGet started

Configuring access to Object Storage from an OpenSearch cluster

Written by
Updated at May 5, 2025

Managed Service for OpenSearch supports using Yandex Object Storage as an OpenSearch snapshot repository. This allows you to use Object Storage to store backups. For more information about snapshot repositories, see the OpenSearch documentation.

To access Object Storage bucket data from a cluster:

  1. Connect the service account to the cluster.
  2. Configure access permissions.
  3. Connect a snapshot repository.

Before you begin, assign the iam.serviceAccounts.user role or higher to your Yandex Cloud account. You will need this role in the following cases:

  • To create or modify a cluster and link it to a service account.
  • To restore a cluster linked to a service account from its backup.

Connect the service account to the cluster

  1. When creating or updating a cluster, either select an existing service account or create a new one.

  2. Assign the storage.editor role to this account.

Configure access permissions

  1. In the management console, select the folder with the appropriate bucket. If there is no such bucket, create one.

  2. Select Object Storage.

  3. Select the Buckets tab.

  4. Set up the bucket ACL:

    1. In the Select a user drop-down list, specify the service account connected to the cluster.
    2. Select the READ and WRITE permissions for the selected service account.
    3. Click Add and Save.

Connect a snapshot repository

Alert

If a bucket is registered in an OpenSearch cluster as a snapshot repository, do not edit the bucket contents manually as this will disrupt the OpenSearch snapshot mechanism.

  1. Install the repository-s3 plugin.

  2. Connect to the cluster.

  3. Register the bucket as a snapshot repository using the public OpenSearch API:

    PUT --cacert ~/.opensearch/root.crt https://admin:<password>@<ID_of_OpenSearch_host_with_DATA_role>.mdb.yandexcloud.net:9200/_snapshot/<repository_name>

    In the request parameters, specify the bucket associated with the cluster service account:

    curl --request PUT \
     "https://admin:<password>@<ID_of_OpenSearch_host_with_DATA_role>.mdb.yandexcloud.net:9200/_snapshot/<repository_name>" \
     --cacert ~/.opensearch/root.crt \
     --header "Content-Type: application/json" \
     --data '{
       "type": "s3",
       "settings": {
         "endpoint": "storage.yandexcloud.net",
         "bucket": "<bucket_name>"
       }
     }'
Previous
Managing backups
Next
Deleting a cluster