Set Up Compute Instances to Access Logging Analytics Cross Tenancy
OCI IAM policy uses the concept of admit and endorse to enable cross-tenancy access. If you want to grant permission for compute instances of source tenancy (VendorA) to access Logging Analytics of destination tenancy (CompanyABC), then the administrators of both the tenancies must create IAM policies as below.
-
Setup instance principal and dynamic group in the source tenancy (VendorA):
Instance principals capability lets you make service calls from an instance. OCI compute instances are authorized to interact with OCI APIs by creating a dynamic group of the compute instances and a policy that authorizes what operations the instances can perform.
Create a dynamic group, for example oci_la_dg, to authorize the instances in the compartments with the permissions defined in the policies.
Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaabcd',instance.compartment.id = 'ocid1.compartment.oc1..aaaaadef'}
-
Create policy in the source tenancy (VendorA):
Define tenancy CompanyABC as ocid1.tenancy.oc1..aaaaaaaaabc Endorse dynamic-group oci_la_dg to manage loganalytics-features-family in tenancy CompanyABC Endorse dynamic-group oci_la_dg to manage loganalytics-resources-family in tenancy CompanyABC Endorse dynamic-group oci_la_dg to manage management-dashboard-family in tenancy CompanyABC Endorse dynamic-group oci_la_dg to read compartments in tenancy CompanyABC
-
Create policy in the destination tenancy (CompanyABC):
Define tenancy VendorA as ocid1.tenancy.oc1..aaaaavendora Define dynamic-group oci_la_dg as ocid1.dynamicgroup.oc1..aaaaaaaavendora Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-features-family in tenancy Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-resources-family in tenancy Admit dynamic-group oci_la_dg of tenancy VendorA to manage management-dashboard-family in tenancy Admit dynamic-group oci_la_dg of tenancy VendorA to read compartments in tenancy
-
Verify that you can now run Logging Analytics APIs from the instances that were given permissions.
For information on Endorse
, Admit
, and
Define
statements, see Object Storage Documentation. In
addition to dynamic groups, these statements can be applied for groups too.