Resource Principals
Oracle recommends using resource principal based authentication for Full Stack Disaster Recovery to use additional features and functionality. Use resource principals to authenticate and access other Oracle Cloud Infrastructure resources. To use resource principals, you or your tenancy administrator must define the Oracle Cloud Infrastructure policies and dynamic groups that allow principals to access Oracle Cloud Infrastructure resources.
1. Create Dynamic Group as follows:
Following are the three rules for the Dynamic Group. Also, any of these three rules must match:
Any {instance.compartment.id = '<compartment_ocid>'}
All {resource.type='computecontainerinstance'}
ALL {resource.type='drprotectiongroup', resource.compartment.id='<compartment_ocid>'}
2. Create the policies for the dynamic group as
follows:
For Member Type: COMPUTE_INSTANCE_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to manage instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read virtual-network-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use subnets in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use vnics in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use network-security-groups in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use private-ips in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> use tag-namespaces in compartment <compartment_name>
For Member Type: COMPUTE_INSTANCE_NON_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to use instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
For Member Type: VOLUME_GROUP
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage databases in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: AUTONOMOUS_DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage autonomous-database-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: AUTONOMOUS_CONTAINER_DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage autonomous-database-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update cloud-autonomous-vmclusters in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update autonomous-vmclusters in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update autonomousContainerDatabaseDataguardAssociations in compartment <compartment_name>
For Member Type: OBJECT_STORAGE_BUCKET
Allow dynamic-group <Dynamic_group_Name> to manage object-family in compartment <compartment_name>
For Member Type: LOAD_BALANCER
Allow dynamic-group <Dynamic_group_Name> to manage load-balancers in compartment <compartment_name>
For Member Type: NETWORK_LOAD_BALANCER
Allow dynamic-group <Dynamic_group_Name> to manage network-load-balancers in compartment <compartment_name>
For Member Type: FILE_SYSTEM
Allow dynamic-group <Dynamic_group_Name> to manage file-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: OKE_CLUSTER
Allow dynamic-group <Dynamic_group_Name> to manage compute-container-family in compartment <cluster_compartment>
Allow dynamic-group <Dynamic_group_Name> to manage object-family in compartment <compartment>
Allow dynamic-group <Dynamic_group_Name> to manage cluster-family in comparment <>
allow dynamic-group <Dynamic_group_Name> to manage cluster-virtualnode-pools in comparment <>
Virtual Node Pool
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader',
request.principal.cluster_id = '<Cluster_OCID>'}
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator',
request.principal.cluster_id = '<Cluster_OCID>'}
For Member Type: MYSQL_DB_SYSTEM
Allow dynamic-group <Dynamic_group_Name> to manage mysql-family in comparment <>
For Step Type: FUNCTIONS
Allow dynamic-group <Dynamic_group_Name> to read fn-app in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read fn-function in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use fn-invocation in compartment <compartment_name>
For Step Type: USER_DEFINED_STEPS
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>
For DrPlanExecution
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read all-resources in tenancy
For Networking
Allow dynamic-group <Dynamic_group_Name> to read virtual-network-family in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use subnets in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use vnics in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use network-security-groups in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use private-ips in compartment compartment_name
For Tagging
Allow dynamic-group <Dynamic_group_Name> to use tag-namespaces in tenancy tenancy_name
For Log Location
Allow dynamic-group <Dynamic_group_Name> to manage buckets in compartment compartment_name
Allow group group_name to manage objects in compartment compartment_name
For Vault
Allow dynamic-group <Dynamic_group_Name> to read vaults in compartment compartment_name
Allow group group_name to read secret-family in compartment compartment_name
For Compartments
Allow dynamic-group <Dynamic_group_Name> to read all-resources in compartment <compartment_name or compartment_ocid>
For more details about the policies created in the above step, refer to Policies for Other Services Managed by Full Stack Disaster Recovery.
Parent topic: Policies