DevOps IAM Policies
Create IAM policies to control who has access to DevOps resources, and to control the type of access for each group of users.
Before you can control access to DevOps resources such as code repositories, build pipelines, and deployment pipelines, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).
By default, users in the Administrators
group have access to all the DevOps resources. If you're new to IAM policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.
Resource Types and Permissions
List of DevOps resource types and associated permissions.
To assign permissions to all DevOps resources, use the devops-family
aggregate type. For more information, see Permissions.
A policy that uses <verb> devops-family
is equal to writing a policy with a separate <verb>
<resource-type>
statement for each of the individual resource types.
Resource Type | Permissions |
---|---|
devops-family | The verbs, inspect, read, use, manage are applicable for all the DevOps resource types permissions.Verbs |
devops-project |
|
devops-deploy-family |
The verbs,
|
devops-deploy-artifact |
|
devops-deploy-environment |
|
devops-deploy-pipeline |
|
devops-deploy-stage |
|
devops-deployment |
|
devops-work-requests |
|
devops-repository-family |
The verbs,
Verb |
devops-repository |
|
devops-pull-request |
|
devops-pull-request-comment |
|
devops-protected-branch |
|
devops-build-family |
Given verbs,
|
devops-build-pipeline |
|
devops-build-pipeline-stage |
|
devops-build-run |
|
devops-connection |
|
devops-trigger |
|
Supported Variables
Variables are used when adding conditions to a policy.
DevOps supports the following variables:
- Entity: Oracle Cloud Identifier (OCID)
- String: Free-form text.
- Number: Numeric value (arbitrary precision)
- List: List of Entity, String, or Number
- Boolean: True or False
See General Variables for All Requests.
Variables are lowercase and hyphen-separated. For example,
target.tag-namespace.name
, target.display-name
.
Here name
must be unique, and display-name
is the
description.
Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).
Required Variables | Type | Description |
---|---|---|
target.compartment.id |
Entity (OCID) | The OCID of the primary resource for the request. |
request.operation |
String | The operation ID (for example, GetUser ) for the
request. |
target.resource.kind |
String | The resource kind name of the primary resource for the request. |
Automatic Variables | Type | Description |
---|---|---|
request.user.id |
Entity (OCID) | The OCID of the requesting user. |
request.groups.id |
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
target.compartment.name |
String | The name of the compartment specified in
target.compartment.id . |
target.tenant.id |
Entity (OCID) | The OCID of the target tenant ID. |
Here's a list of available sources for the variables:
- Request: Comes from the request input.
- Derived: Comes from the request.
- Stored: Comes from the service, retained input.
- Computed: Computed from service data.
Mapping Variables with Resource Types
Resource Type | Variable | Type | Source | Description |
---|---|---|---|---|
|
target.project.id |
Entry | Stored | Available for Get, Update, Delete, and Move operations on the Project resource. |
|
target.project.name |
String | Stored | Available for Get, Update, Delete, and Move operations on the Project resource. |
devops-deploy-artifact |
target.artifact.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Artifact resource. |
devops-deploy-environment |
target.environment.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Environment resource. |
|
target.pipeline.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Pipeline resource. |
devops-deploy-stage |
target.stage.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Stage resource. |
devops-deployment |
target.deployment.id |
Entity | Stored | Available for Get, Update, and Delete operations on Deployment resource types. |
devops-repository
|
target.repository.id |
Entity | Stored | Available for Get, Update, Delete, and Move operations on the Repository resource. |
devops-pull-request-comment |
target.pull-request.id |
Entity | Stored | Available for Get, Update, Delete operations on the Pull-Request resource. |
devops-repository
|
target.repository.name |
Entity | Stored | Available for Get, Update, Delete, and Move operations on the Repository resource. |
devops-pull-request-comment |
target.pull-request.display-name |
String | Stored | Available for Get, Update, Delete operations on the Pull-Request resource. |
devops-repository |
target.branch.name |
Entity | Stored | Available for Git operations such as upload-pack, receive-pack on the Repository branch. |
devops-protected-branch |
target.branch.name |
String | Stored | Available for Get, Update, Delete and Move operations on the Protected Branch resource. |
devops-repository |
target.tag.name |
Entity | Stored | Available for Git operations like upload-pack, receive-pack on the Repository branch. |
devops-pull-request |
target.pull-request.id |
Entity | Stored | Available for Get, Update, Delete operations on the Pull-Request resource. |
devops-pull-request |
target.pull-request.display-name |
String | Stored | Available for Get, Update, Delete operations on the Pull-Request resource. |
devops-connection |
target.connection.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Connection resource. |
devops-trigger |
target.trigger.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Trigger resource. |
|
target.build-pipeline.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Build Pipeline resource. |
devops-build-pipeline-stage |
target.build-pipeline-stage.id |
Entity | Stored | Available for Get, Update, and Delete operations on the Build Pipeline Stage resource. |
devops-build-run |
target.build-run.id |
Entity | Stored | Available for Get, Update, Delete, and Cancel operations on the Build Run resource. |
Details for Verb + Resource Type Combinations
Identify the permissions and API operations covered by each verb for DevOps resources.
The level of access is cumulative as you go from inspect
to read
to use
to manage
. A plus sign (+)
in a table cell indicates incremental access when compared to the preceding cell. All permissions (inspect, read, use, and manage) are applicable for the devops-family
resource type, which includes all the DevOps resources.
For information about granting access, see Permissions.
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-project
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_PROJECT_INSPECT |
ListProjects |
List all the project resources in a compartment. |
read |
|
|
Get a specific project by ID. |
use |
|
|
Update a specific project. |
manage |
|
|
Create a project resource. |
manage |
|
|
Delete a specific project. |
manage |
|
|
Move a project to a different compartment. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-family
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
|
|
|
read |
|
|
|
use |
|
|
|
manage |
|
|
|
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-deploy-artifact
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_DEPLOY_ARTIFACT_INSPECT |
ListDeployArtifacts |
List all the artifacts in a project or compartment. |
read |
|
|
Get a specific artifact by ID. |
use |
|
|
Update a specific artifact by ID. |
manage |
|
|
Create an artifact resource within a project. |
manage |
|
|
Delete a specific artifact by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-deploy-environment
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_DEPLOY_ENVIRONMENT_INSPECT |
ListDeployEnvironments |
List all the environments in an application or compartment. |
read |
|
|
Get a specific environment by ID. |
use |
|
|
Update a specific environment by ID. |
manage |
|
|
Create an environment for a deployment target within an application. |
manage |
|
|
Delete a specific environment by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-deploy-pipeline
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_DEPLOY_PIPELINE_INSPECT |
ListDeployPipelines |
List all the pipeline resources in a compartment. |
read |
|
|
Get a specific pipeline by ID. |
use |
|
|
Update a specific pipeline by ID. |
manage |
|
|
Create a pipeline resource. |
manage |
|
|
Delete a specific pipeline. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-deploy-stage
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_DEPLOY_STAGE_INSPECT |
ListDeployStages |
List all the stages in a pipeline or compartment. |
read |
|
|
Get a specific stage by ID. |
use |
|
|
Update a specific stage by ID. |
manage |
|
|
Create a stage within a pipeline. |
manage |
|
|
Delete a specific stage by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-deployment
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_DEPLOYMENT_INSPECT |
ListDeployments |
List all the deployments in a compartment. |
read |
|
|
Get a specific deployment by ID. |
use |
|
|
Update a specific stage by ID. |
use |
|
|
Approve a specific deployment that's waiting for manual approval. |
use |
|
|
Cancel a running deployment. |
manage |
|
|
Create a deployment for a specific pipeline. |
manage |
|
|
Delete a specific deployment. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-work-requests
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_WORK_REQUEST_INSPECT |
ListWorkRequests |
List all the work requests in a compartment. |
read |
|
|
Get a specific work request by ID. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-repository-family
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
|
|
|
read |
inspect+
|
|
|
use |
|
|
|
manage |
|
|
|
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-repository
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_REPOSITORY_INSPECT |
ListRepositories |
List all the repository resources by compartment ID, project ID, or repository ID. |
read |
|
|
Get a specific repository by ID. |
use |
|
|
Update a specific repository by ID. |
manage |
|
|
Create a repository. |
manage |
|
|
Delete a specific repository by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-connection
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_CONNECTION_INSPECT |
ListConnections |
List all the connections in a project or compartment. |
read |
|
|
Get a specific connection by ID. |
use |
|
|
Update a specific connection by ID. |
use |
|
|
Validate the connection's PAT. |
manage |
|
|
Create a connection resource in a project. |
manage |
|
|
Delete a specific connection by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-trigger
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_TRIGGER_INSPECT |
ListTriggers |
List all the triggers in a project or compartment. |
read |
|
|
Get a specific trigger by ID. |
use |
|
|
Update a specific trigger by ID. |
manage |
|
|
Create a trigger resource in a project. |
manage |
|
|
Delete a specific trigger by ID. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-family
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
|
|
|
read |
|
|
|
use |
|
|
|
manage |
|
|
|
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-build-pipeline
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_BUILD_PIPELINE_INSPECT |
ListBuildPipelines |
List all the build pipeline resources in a compartment. |
read |
|
|
Get a specific build pipeline by ID. |
use |
|
|
Update a specific build pipeline by ID. |
manage |
|
|
Create a build pipeline resource. |
manage |
|
|
Delete a specific build pipeline. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-build-pipeline-stage
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_BUILD_PIPELINE_STAGE_INSPECT |
ListBuildPipelineStages |
List all the stages in a build pipeline or compartment. |
read |
|
|
Get a specific build pipeline stage by ID. |
use |
|
|
Update a specific build pipeline stage by ID. |
manage |
|
|
Create a stage in a build pipeline. |
manage |
|
|
Delete specific build pipeline stage by ID. |
This table lists the permissions and the APIs that are fully covered by the
permissions, for the devops-build-run
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
DEVOPS_BUILD_RUN_INSPECT |
ListBuildRuns |
List the build runs in a project or compartment. |
read |
|
|
Gets a specific build run by ID. |
use |
|
|
Update an existing build run. |
use |
|
|
Cancel a running build run. |
manage |
|
|
Start a build run for a given build pipeline. |
manage |
|
|
Delete an existing build run. |
Creating a Policy and Dynamic Group
To grant users permission to access the various DevOps resources such as build pipelines, deployment pipelines, artifacts, and code repositories you have to create groups, dynamic groups and IAM policies.
A policy allows a group to work in certain ways with specific types of resources in a particular compartment .
Policy
Here's how you create a policy in the Oracle Cloud Console:
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Click Create Policy.
- Enter a name and description for the policy.
- Under Policy Builder, click the Show manual editor switch to enable the editor.
Enter a policy rule in the following format:
Allow <group> to <verb> <resource_type> in <compartment or tenancy details>
- Click Create.
For more information about creating policies, see How Policies Work and Policy Reference.
To create a group and add users to the group, see Managing Groups.
Dynamic Group
Dynamic group is a special type of group that contains resources (such as compute instances) that match rules that you define.
Matching rules define the resources that belong to the dynamic group. In the Console, you can either enter the rule manually in the provided text box, or you can use the rule builder. For more details, see Writing Matching Rules to Define Dynamic Groups. Use the match-any
rule to match multiple conditions.
DevOpsDynamicGroup
and replace compartmentOCID
with the OCID of your compartment: ALL {resource.type = 'devopsdeploypipeline', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsrepository', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsbuildpipeline',resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsconnection',resource.compartment.id = 'compartmentOCID'}
For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.
DevOpsDynamicGroup
: Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>
For tenancies that have identity domains, the domain name must precede the dynamic group name in the policy. For example,
domain-name/{DevOpsDynamicGroup}
Policy Examples
DevOps policies required for using various DevOps resources such as code repositories, build pipelines and deployment pipelines.
Following policy examples are provided:
Environment Policies
Policy example for creating target environment that is used for deployment.
See the instructions for creating policies using the Console.
Allow group <group-name> to manage virtual-network-family in compartment <compartment_name> where any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint', request.operation='EnableReverseConnection', request.operation='ModifyReverseConnection', request.operation='DisableReverseConnection'}
Code Repository Policies
Policy examples for creating a code repository and connecting to external code repositories such as GitHub and GitLab.
See the instructions for creating policies, groups, and dynamic groups using the Console.
- Allow users in a group to have access to the DevOps project:
Allow group <group-name> to read devops-project in compartment <compartment_name>
- Allow users in a group to read, create, update, or delete a repository:
Allow group <group-name> to manage devops-repository in compartment <compartment_name>
- Allow users in a group to have access to the DevOps project:
Allow group <group-name> to read devops-project in compartment <compartment_name>
- Allow users in a group to read or update a repository:
Allow group <group-name> to use devops-repository in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>
Allow group <group-name> to use devops-connection in compartment <compartment_name>
To create a pull request, you must define policies based on the actions that a user is allowed to perform. For more information and examples, see Managing Pull Requests.
Build Pipeline Policies
Policy examples for creating build pipelines and adding stages to the pipeline.
See the instructions for creating policies using the Console.
- Create IAM policies to allow the dynamic group to access OCI resources in the compartment:
- To deliver artifacts, provide access to the Container Registry (OCIR):
Allow dynamic-group DevOpsDynamicGroup to manage repos in compartment <compartment_name>
- To access vault for personal access token (PAT), provide access to secret-family. This policy is required in the Managed Build stage for accessing PAT to download the source code:
Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>
- Provide access to read deployment artifacts in the Deliver Artifacts stage, read DevOps code repository in the Managed Build stage, and trigger deployment pipeline in the Trigger Deploy stage:
Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>
- To deliver artifacts, provide access to the Artifact Registry:
Allow dynamic-group DevOpsDynamicGroup to manage generic-artifacts in compartment <compartment_name>
- To send notifications, provide access to the build pipeline:
Allow dynamic-group DevOpsDynamicGroup to use ons-topics in compartment <compartment_name>
- To deliver artifacts, provide access to the Container Registry (OCIR):
- Create policies to allow private access setup in the Managed Build stage:
Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <customer subnet compartment>
Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <customer subnet compartment>
If any network security groups (NSGs) are specified in the private access configuration, then the policy must allow access to the NSGs:Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <customer subnet compartment>
- Create a policy to allow the build pipeline to access the Certificate Authority (CA) bundle resource for Transport Layer Security (TLS) verification:
Allow dynamic-group DevOpsDynamicGroup to use cabundles in compartment <compartment_name>
Policies for Accessing ADM Resources
Policy examples for accessing Application Dependency Management (ADM) service's resources from the build pipeline.
See the instructions for creating policies using the Console.
Allow dynamic-group DevOpsDynamicGroup to use adm-knowledge-bases in tenancy
Allow dynamic-group DevOpsDynamicGroup to manage adm-vulnerability-audits in tenancy
Deployment Pipeline Policies
Policy examples for creating deployment pipelines and adding stages to the pipeline.
See the instructions for creating policies using the Console.
-
OKE cluster deployments:
Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to manage cluster in compartment <compartment_name>
- Functions:
Allow dynamic-group DevOpsDynamicGroup to manage fn-function in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to read fn-app in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use fn-invocation in compartment <compartment_name>
- Instance Group deployments:
Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to read instance-family in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use instance-agent-command-family in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use load-balancers in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name>
For an instance group deployment, you also need to create a dynamic group for the following instances and give the dynamic group certain permissions:- Create a dynamic group for the instances. For example, you can name the dynamic group as,
DeployComputeDynamicGroup
and replacecompartmentOCID
with the OCID of your compartment:All {instance.compartment.id = 'compartmentOCID'}
- Create IAM policies to give required access to the deployment instances:
Allow dynamic-group DeployComputeDynamicGroup to use instance-agent-command-execution-family in compartment <compartment_name> Allow dynamic-group DeployComputeDynamicGroup to read generic-artifacts in compartment <compartment_name> Allow dynamic-group DeployComputeDynamicGroup to read secret-family in compartment <compartment_name>
- Create a dynamic group for the instances. For example, you can name the dynamic group as,
- Helm stage deployments:
Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to manage cluster in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to read repos in compartment <compartment_name>
- Approval stage:
Allow group pipeline1_approvers to use devops-family in compartment <compartment_name> where all {request.principal.id = 'ocid1.pipeline1'} Allow group pipeline2_approvers to use devops-family in compartment <compartment_name> where all {request.principal.id = 'ocid1.pipeline2'}
- Shell stage:
Allow dynamic-group DevOpsDynamicGroup to manage compute-container-instances in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to manage compute-containers in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <compartment_name> Allow dynamic-group DevOpsDynamicGroup to use dhcp-options in compartment <compartment_name>
If you're using Network security group while creating Shell stage, then add the following policy:Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <compartment_name>
Artifact Policies
Policy examples for adding the Deliver Artifacts stage to the build pipeline.
The Deliver Artifacts stage maps the build outputs from the Managed Build stage with the version to deliver to a DevOps artifact resource, and then to the Oracle Cloud Infrastructure (OCI) code repository. DevOps supports artifacts stored in OCI Container Registry and Artifact Registry repositories. See Adding a Deliver Artifacts Stage.
See the instructions for creating policies using the Console.
Create following IAM policies:
- To see a list of all repositories in Container Registry belonging to the tenancy or to a particular compartment:
Allow dynamic-group DevOpsDynamicGroup to inspect repos in tenancy
Allow dynamic-group DevOpsDynamicGroup to inspect repos in compartment <compartment_name>
- Allow artifacts to be pushed to the Container Registry (OCIR) that belongs to the tenancy or to a particular compartment:
Allow dynamic-group DevOpsDynamicGroup to use repos in tenancy
Allow dynamic-group DevOpsDynamicGroup to use repos in compartment <compartment_name>
- Ability to see a list of generic artifacts in Artifact Registry belonging to the tenancy or to a particular compartment:
Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in tenancy
Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in compartment <compartment_name>
- Allow generic artifacts to be pushed to the Artifact Registry that belongs to the tenancy or to a particular compartment:
Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in tenancy
Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in compartment <compartment_name>
- Allow users to pull generic artifacts that belongs to the tenancy or to a particular compartment:
Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in tenancy
Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in compartment <compartment_name>
Accessing Artifact Registry
Oracle Cloud Infrastructure Artifact Registry is a repository service for storing, sharing, and managing software development packages.
You can access the artifacts that you store in Artifact Registry from the DevOps service. You can create a reference to three types of artifacts in Artifact Registry: instance group deployment configurations, general artifacts, and Kubernetes manifests. Your administrator must grant the read all-artifacts
permission to the pipeline resources.
See the instructions for creating policies using the console.
Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
For more information, see Artifact Registry Policies.