Oracle Cloud Infrastructure Documentation

Required IAM Policy to Access Marketplace

To access Marketplace, you must have the necessary IAM policies.

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

If you're new to policies, see Getting Started with Policies and Common Policies.

For administrators, the following policies provide access to Marketplace

  • The following policy gives the specified group the ability to list accepted terms of use agreements. The terms of use agreement for a given listing must be viewed and accepted prior to launch. The policy does not include the ability to list, read, or use listings themselves. For that, see the policy statements that grant access to the type of listing you want to launch, whether an image, stack, container image, or helm chart.

    Allow group <IAM_group_name> to inspect compartments in tenancy

  • The following policy gives the specified group the ability to list, read, and use Marketplace image listings. It does not include the ability to create instances using images from listings. (For that, see the next policy.) Furthermore, to reduce the scope of access to just creating subscriptions in a particular compartment, specify that compartment instead of the tenancy.

    Allow group <IAM_group_name> to manage app-catalog-listing in tenancy

  • The following policy gives the specified group general access to managing instances and images, along with the required level of access to attach existing block volumes to the instances. Use this policy in conjunction with the preceding policy for users who need to launch instances from image listings. For users who need to launch stacks from stack listings, use this policy in conjunction with the next set of policies.

    Allow group <IAM_group_name> to manage instance-family in compartment ABC

Allow group <IAM_group_name> to read app-catalog-listing in tenancy

Allow group <IAM_group_name> to use volume-family in compartment ABC

Allow group <IAM_group_name> to use virtual-network-family in compartment XYZ
  • The policies described in IAM Policies grant access to stacks and jobs in the tenancy. Use the appropriate policy statements to give a group the ability to list, read, and use Marketplace stack listings. (Users do not need permission to run destroy jobs to launch a stack from a Marketplace listing, but they do need permissions to run plan jobs and apply jobs.)
  • The policies described in Policies to Control Repository Access grant access to container registry and images in the tenancy. Use the appropriate policy statements to give a group the ability to list, read and use container registry resources.

If you need to write more restrictive policies, see the policy references on which these policies were based, Details for the Core Services and Details for the Resource Manager, as needed.