Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Updating OpenSearch cluster settings

Written by
Updated at January 30, 2026

After creating a cluster, you can change:

You can also:

Changing a service account

To attach a service account to a Managed Service for OpenSearch cluster, assign the iam.serviceAccounts.user role or higher to your Yandex Cloud account.

Warning

If the cluster already uses a service account to access objects from Object Storage, then changing it to a different service account may make these objects unavailable and interrupt the cluster operation. Before changing the service account settings, make sure that the cluster doesn't use the objects in question.

For more information about setting up a service account, see Configuring access to Object Storage.

To change a service account attached to a Managed Service for OpenSearch cluster:

  1. In the management console, navigate to the folder page.
  2. Navigate to the Managed Service for OpenSearch service.
  3. Select your cluster and click Edit in the top panel.
  4. In the Service account field, select the account you need from the list or create a new one. For more information about setting up a service account, see Configuring access to Object Storage.
  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a service account attached to a Managed Service for OpenSearch cluster, run this command:

yc managed-opensearch cluster update <cluster_name_or_ID> \
   --service-account-name <service_account_name>

You can get the cluster name and ID with the list of clusters in the folder.

For more information about setting up a service account, see Configuring access to Object Storage.

To change a service account attached to a Managed Service for OpenSearch cluster:

  1. Open the current Terraform configuration file describing your infrastructure.

    For a complete list of Managed Service for OpenSearch cluster configuration fields you can update, see this Terraform provider guide.

  2. In the service_account_id field, specify the service account ID:

    resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
    ...
    service_account_id = "<service_account_ID>"
}

    For more information about setting up a service account, see Configuring access to Object Storage.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
    --data '{
                "updateMask": "serviceAccountId",
                "serviceAccountId": "<service_account_ID>"
            }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we provide only one setting.

    • serviceAccountId: ID of the service account used for cluster operations.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "update_mask": {
                "paths": [
                    "service_account_id"
                ]
            },
            "service_account_id": "<service_account_ID>"
        }' \
mdb.api.cloud.yandex.net:443 \
yandex.cloud.mdb.opensearch.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • service_account_id: ID of the service account used for cluster operations.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Changing the admin password

  1. In the management console, navigate to the folder page.

  2. Navigate to the Managed Service for OpenSearch service.

  3. Select your cluster and click Edit in the top panel.

  4. In the Admin password field, enter a new password.

    The password must include three groups of characters out of these four:

    • Lowercase Latin letters
    • Uppercase Latin letters
    • Numbers
    • Special characters

    The password must be from 10 to 72 characters long.

  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change the admin password for a cluster, enter a new password using one of these methods:

  • Entering a password as plain text (less secure method).

    yc managed-opensearch cluster update <cluster_name_or_ID> \
   --admin-password <new_password>

    The password must include three groups of characters out of these four:

    • Lowercase Latin letters
    • Uppercase Latin letters
    • Numbers
    • Special characters

    The password must be from 10 to 72 characters long.

  • Generating a password automatically. The generated password will be output to the console.

    yc managed-opensearch cluster update <cluster_name_or_ID> \
   --generate-admin-password

You can get the cluster name and ID with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    For a complete list of Managed Service for OpenSearch cluster configuration fields you can update, see this Terraform provider guide.

  2. In the config section, change the admin_password field value:

    resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
    ...
    config {
        admin_password = "<new_admin_password>"
    }
}

    The password must include three groups of characters out of these four:

    • Lowercase Latin letters
    • Uppercase Latin letters
    • Numbers
    • Special characters

    The password must be from 10 to 72 characters long.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
    --data '{
                "updateMask": "configSpec.adminPassword",
                "configSpec": {
                    "adminPassword": "<new_password>"
                }
            }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we provide only one setting.

    • configSpec.adminPassword: New admin password.

      The password must include three groups of characters out of these four:

      • Lowercase Latin letters
      • Uppercase Latin letters
      • Numbers
      • Special characters

      The password must be from 10 to 72 characters long.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "update_mask": {
                "paths": [
                    "config_spec.admin_password"
                ]
            },
            "config_spec": {
                "admin_password": "<new_password>"
            }
        }' \
mdb.api.cloud.yandex.net:443 \
yandex.cloud.mdb.opensearch.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • config_spec.admin_password: New admin password.

      The password must include three groups of characters out of these four:

      • Lowercase Latin letters
      • Uppercase Latin letters
      • Numbers
      • Special characters

      The password must be from 10 to 72 characters long.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Updating OpenSearch settings

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Run the following command with the list of settings to update:

yc managed-opensearch cluster update <cluster_name_or_ID> \
   --max-clause-count <number_of_Boolean_clauses> \
   --fielddata-cache-size <JVM_heap_size> \
   --reindex-remote-whitelist <host_address>:<port>

You can get the cluster name and ID with the list of clusters in the folder.

The settings in the command include:

  • --max-clause-count: Maximum allowed number of boolean clauses per query. For more information, see this OpenSearch guide.
  • --fielddata-cache-size: JVM heap size allocated for the fielddata data structure. You can specify either an absolute value or percentage, e.g., 512mb or 50%. For more information, see this OpenSearch guide.
  • --reindex-remote-whitelist: List of remote hosts whose indexes contain documents to copy for reindexing. Specify the parameter value as <host_address>:<port>. If you need to specify more than one host, list values separated by commas. For more information, see this OpenSearch guide.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
    --data '{
                "updateMask": "configSpec.opensearchSpec.opensearchConfig_2.maxClauseCount,configSpec.opensearchSpec.opensearchConfig_2.fielddataCacheSize,configSpec.opensearchSpec.opensearchConfig_2.reindexRemoteWhitelist",
                "configSpec": {
                    "opensearchSpec": {
                        "opensearchConfig_2": {
                            "maxClauseCount": "<number_of_Boolean_clauses>",
                            "fielddataCacheSize": "<JVM_heap_size>",
                            "reindexRemoteWhitelist": "<host_address>:9200"
                        }
                    }
                }
            }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

    • configSpec.opensearchSpec.opensearchConfig_2: OpenSearch settings:

      • maxClauseCount: New maximum allowed number of boolean clauses. For more information, see this OpenSearch guide.

      • fielddataCacheSize: New JVM heap size allocated for the fielddata data structure. You can specify either an absolute value or percentage, e.g., 512mb or 50%. For more information, see this OpenSearch guide.

      • reindexRemoteWhitelist: New list of remote hosts whose indexes contain documents to copy for reindexing. Specify the host FQDN and port 9200, separated by a colon. To specify multiple hosts, list them separated by commas after the port. For more information, see this OpenSearch guide.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "update_mask": {
                "paths": [
                    "config_spec.opensearch_spec.opensearch_config_2.max_clause_count",
                    "config_spec.opensearch_spec.opensearch_config_2.fielddata_cache_size",
                    "config_spec.opensearch_spec.opensearch_config_2.reindex_remote_whitelist"
                ]
            },
            "config_spec": {
                "opensearch_spec": {
                    "opensearch_config_2": {
                        "max_clause_count": "<number_of_Boolean_clauses>",
                        "fielddata_cache_size": "<JVM_heap_size>",
                        "reindex_remote_whitelist": "<host_address>:9200"
                    }
                }
            }
        }' \
mdb.api.cloud.yandex.net:443 \
yandex.cloud.mdb.opensearch.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • config_spec.opensearch_spec.opensearch_config_2: OpenSearch settings:

      • max_clause_count: New maximum allowed number of boolean clauses. For more information, see this OpenSearch guide.

      • fielddata_cache_size: New JVM heap size allocated for the fielddata data structure. You can specify either an absolute value or percentage, e.g., 512mb or 50%. For more information, see this OpenSearch guide.

      • reindex_remote_whitelist: New list of remote hosts whose indexes contain documents to copy for reindexing. Specify the host FQDN and port 9200, separated by a colon. To specify multiple hosts, list them separated by commas after the port. For more information, see this OpenSearch guide.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Changing additional cluster settings

  1. In the management console, navigate to the folder page.

  2. Navigate to the Managed Service for OpenSearch service.

  3. Select your cluster and click Edit in the top panel.

  4. Change additional cluster settings:

    • Maintenance window: Maintenance window settings:

      • To enable maintenance at any time, select arbitrary (default).
      • To specify the preferred maintenance start time, select by schedule and specify the desired day of the week and UTC hour. For example, you can choose a time when the cluster is least loaded.

      Maintenance operations are carried out both on enabled and disabled clusters. They may include updating the DBMS, applying patches, and so on.

    • Deletion protection: Manages cluster protection against accidental deletion.

      Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Run the following command with the list of settings to update:

yc managed-opensearch cluster update <cluster_name_or_ID> \
   --maintenance schedule=<maintenance_type>,`
                `weekday=<day_of_week>,`
                `hour=<hour> \
   --delete-protection \
   --data-transfer-access=<allow_access_from_Data_Transfer> \
   --serverless-access=<allow_access_from_Serverless_Containers>

You can get the cluster name and ID with the list of clusters in the folder.

The settings in the command include:

  • --maintenance: Maintenance window settings, including for stopped clusters:

    • To allow maintenance at any time, set --maintenance schedule=anytime.

    • To specify the preferred maintenance start time, set --maintenance schedule=weekly,weekday=<day_of_week>,hour=<hour_in_UTC>. In this case, maintenance will take place every week on a specified day at a specified time.

      The valid weekday values include mon, tue, wed, thu, fry, sat, sun. In the hour parameter, specify the maintenance completion time. For example, if you set 14, maintenance will take place from 13:00 until 14:00 UTC.

  • --deletion-protection: Cluster protection from accidental deletion, true or false.

    Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

  • --serverless-access: Access from Yandex Serverless Containers, true or false.

  1. Open the current Terraform configuration file describing your infrastructure.

    For a complete list of Managed Service for OpenSearch cluster configuration fields you can update, see this Terraform provider guide.

  2. To change the maintenance time, including for stopped clusters, specify the following settings in the maintenance_window parameter:

    resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
    ...
    maintenance_window {
        type = "<maintenance_frequency>"
        hour = <hour>
        day = "<day_of_week>"
    }
}

    Specify the following in the parameters:

    • type: ANYTIME to allow maintenance at any time, or WEEKLY to perform maintenance every week.
    • hour: Maintenance completion hour, UTC. For example, if you set 14, maintenance will take place from 13:00 until 14:00 UTC.
    • day: Day of week for maintenance. The valid values include MON, TUE, WED, THU, FRI, SAT, SUN.

  3. To enable cluster protection against accidental deletion by a user of your cloud, add the deletion_protection field set to true to your cluster description:

    resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
    ...
    deletion_protection = <protect_cluster_against_deletion>
}

    Where deletion_protection is the protection against accidental cluster deletion.

    Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
    --data '{
                "updateMask": "configSpec.access,deletionProtection,maintenanceWindow",
                "configSpec": {
                    "access": {
                        "dataTransfer": <allow_access_from_Data_Transfer>,
                        "serverless": <allow_access_from_Serverless_Containers>
                    }
                },
                "deletionProtection": <protect_cluster_against_deletion>,
                "maintenanceWindow": {
                    "weeklyMaintenanceWindow": {
                        "day": "<day_of_week>",
                        "hour": "<hour>"
                    }
                }
            }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

    • access: Cluster access settings for the following Yandex Cloud services:

      The possible setting values are true or false.

    • deletionProtection: Cluster protection against accidental deletion, true or false.

      Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

    • maintenanceWindow.weeklyMaintenanceWindow: Maintenance window schedule:

      • day: Day of the week, in DDD format, for scheduled maintenance.
      • hour: Hour, in HH format, for scheduled maintenance. The possible values range from 1 to 24. Use the UTC time zone.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "update_mask": {
                "paths": [
                    "config_spec.access",
                    "deletion_protection",
                    "maintenance_window"
                ]
            },
            "config_spec": {
                "access": {
                    "data_transfer": <allow_access_from_Data_Transfer>,
                    "serverless": <allow_access_from_Serverless_Containers>
                }
            },
            "deletion_protection": <protect_cluster_against_deletion>,
            "maintenance_window": {
                "weekly_maintenance_window": {
                    "day": "<day_of_week>",
                    "hour": "<hour>"
                }
            }
        }' \
mdb.api.cloud.yandex.net:443 \
yandex.cloud.mdb.opensearch.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • access: Cluster access settings for the following Yandex Cloud services:

      The possible setting values are true or false.

    • deletion_protection: Cluster protection against accidental deletion, true or false.

      Even with cluster deletion protection enabled, it is still possible to delete a user or connect to the cluster manually and delete the data.

    • maintenance_window.weekly_maintenance_window: Maintenance window schedule:

      • day: Day of the week, in DDD format, for scheduled maintenance.
      • hour: Hour, in HH format, for scheduled maintenance. The possible values range from 1 to 24. Use the UTC time zone.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Updating security groups

After you assign other security groups, you may need to additionally set them up to connect to the cluster.

  1. In the management console, navigate to the folder page.
  2. Navigate to the Managed Service for OpenSearch service.
  3. Select your cluster and click Edit in the top panel.
  4. Under Network settings, select the security groups for cluster network traffic.
  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To edit the list of security groups for a cluster, specify the security groups you need in the command:

yc managed-opensearch cluster update <cluster_name_or_ID> \
   --security-group-ids <list_of_security_group_IDs>

If you need to specify multiple groups, list them separated by commas.

You can get the cluster name and ID with the list of clusters in the folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    For a complete list of Managed Service for OpenSearch cluster configuration fields you can update, see this Terraform provider guide.

  2. In the security_group_ids field, list the security group IDs separated by commas:

    resource "yandex_mdb_opensearch_cluster" "<cluster_name>" {
    ...
    security_group_ids = [ "<security_groups>" ]
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-opensearch/v1/clusters/<cluster_ID>' \
    --data '{
                "updateMask": "securityGroupIds",
                "securityGroupIds": [
                    "<security_group_1_ID>",
                    "<security_group_2_ID>",
                    ...
                    "<security_group_N_ID>"
                ]
            }'

    Where:

    • updateMask: Comma-separated string of settings you want to update.

      Here, we provide only one setting.

    • securityGroupIds: Security group IDs.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/opensearch/v1/cluster_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
            "cluster_id": "<cluster_ID>",
            "update_mask": {
                "paths": [
                    "security_group_ids"
                ]
            },
            "security_group_ids": [
                "<security_group_1_ID>",
                "<security_group_2_ID>",
                ...
                "<security_group_N_ID>"
            ]
        }' \
mdb.api.cloud.yandex.net:443 \
yandex.cloud.mdb.opensearch.v1.ClusterService.Update

    Where:

    • update_mask: List of settings you want to update as an array of strings (paths[]).

      Here, we provide only one setting.

    • security_group_ids: Security group IDs.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Previous
Configuring SAML authentication
Next
OpenSearch version upgrade