Oracle Cloud Migrations Service Policies
Oracle Cloud Migrations service policies are required for using the migration service.
A policy syntax is as follows:
allow <subject> to <verb> <resource-type> in <location> where <conditions>
For complete details, see Policy Syntax. For more information on creating policies, see how policies work, Policy Reference, and policy details for Object Storage.
See the instructions for creating policies using the Console.
Policy Builder
Oracle Cloud Migrations supports Policy Builder. The policy builder in the Cloud Console helps you quickly create common policies without the need to manually type the policy statements. To create policies using policy builder, see Writing Policy Statements with the Policy Builder.
In the Policy Builder, select the policy use cases for Oracle Cloud Migrations. Following predefined policy templates are available for creating the service policies:
Migration Policies
Dynamic groups and IAM policies for the migration service.
- Create dynamic groups for the migration service. You can name the dynamic group as, for example,
MigrationDynamicGroup
and replacecompartmentOCID
with the OCID of your migration compartment:ALL {resource.type = 'ocmmigration', resource.compartment.id = '<migration_compartment_ocid>'}
For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.
- Create all of the following IAM policies to allow the Migration service to read
or manage your OCI resources in specific compartments or in your tenancy:
Allow dynamic-group MigrationDynamicGroup to manage instance-family in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to manage compute-image-capability-schema in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to manage virtual-network-family in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to manage volume-family in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to manage object-family in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to read ocb-inventory in tenancy Allow dynamic-group MigrationDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to {OCB_CONNECTOR_READ, OCB_CONNECTOR_DATA_READ, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_CONNECTOR_DATA_UPDATE } in compartment <migration_compartment_name> Allow dynamic-group MigrationDynamicGroup to {INSTANCE_IMAGE_INSPECT, INSTANCE_IMAGE_READ} in tenancy Allow dynamic-group MigrationDynamicGroup {INSTANCE_INSPECT} in tenancy where any {request.operation='ListShapes'} Allow dynamic-group MigrationDynamicGroup {DEDICATED_VM_HOST_READ} in tenancy where any {request.operation='GetDedicatedVmHost'} Allow dynamic-group MigrationDynamicGroup {CAPACITY_RESERVATION_READ} in tenancy where any {request.operation='GetComputeCapacityReservation'} Allow dynamic-group MigrationDynamicGroup {ORGANIZATIONS_SUBSCRIPTION_INSPECT} in tenancy where any {request.operation='ListSubscriptions'} Allow dynamic-group MigrationDynamicGroup to read rate-cards in tenancy Allow dynamic-group MigrationDynamicGroup to read metrics in tenancy where target.metrics.namespace='ocb_asset' Allow dynamic-group MigrationDynamicGroup to read tag-namespaces in tenancy Allow dynamic-group MigrationDynamicGroup to use tag-namespaces in tenancy where target.tag-namespace.name='CloudMigrations'
Discovery Policies
Dynamic groups and IAM policies for the discovery service.
- Create all of the following IAM policies to allow the discovery service to read
or manage resources in specific compartments or in your tenancy:
Allow service ocb-discovery to inspect compartments in compartment <migration_compartment_name> Allow service ocb-discovery to read ocb-environments in compartment <migration_compartment_name> Allow service ocb-discovery to read ocb-inventory in tenancy Allow service ocb-discovery to manage ocb-inventory-asset in compartment <migration_compartment_name> Allow service ocb-discovery to {TENANCY_INSPECT} in tenancy
Creating a Dynamic Group
ALL { resource.type = 'ocbassetsource' }
Allow dynamic-group DiscoveryDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
Allow dynamic-group DiscoveryDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.
Hydration Agent Policies
Dynamic groups and IAM policies for the hydration agent.
- Create dynamic groups for the hydration agent. You can name the dynamic group as, for example,
HydrationAgentDynamicGroup
and replacecompartmentOCID
with the OCID of your migration compartment:ALL {instance.compartment.id = '<migration_compartment_ocid>'}
-
For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.
- Create the following IAM policies in specific compartments or in your tenancy to provide permissions
to the hydration agent to pull snapshots from OCI Object Storage and call
the migration service hydration APIs:
Define tenancy OCM-SERVICE AS <ocm_service_tenancy_ocid_for_realm> Endorse dynamic-group HydrationAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCM-SERVICE where all { target.bucket.name = 'tenancy_ocid' } Allow dynamic-group HydrationAgentDynamicGroup to {OCM_HYDRATION_AGENT_TASK_INSPECT, OCM_HYDRATION_AGENT_TASK_UPDATE, OCM_HYDRATION_AGENT_REPORT_STATUS} in compartment <migration_compartment_name> Allow dynamic-group HydrationAgentDynamicGroup to manage objects in compartment <migration_compartment_name> Allow dynamic-group HydrationAgentDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
The value of
ocm_service_tenancy_for_realm
for
the OC1 realm is mentioned below. If your tenancy is located in a realm other than
OC1, contact Oracle Support for the correct service tenancy OCID.
ocid1.tenancy.oc1..aaaaaaaartv6j5muce2s4djz7rvfn2vwceq3cnue33d72isntnlfmi7huv7q