Set Up Compute Instances to Access Logging Analytics Cross Tenancy

OCI IAM policy uses the concept of admit and endorse to enable cross-tenancy access. If you want to grant permission for compute instances of source tenancy (VendorA) to access Logging Analytics of destination tenancy (CompanyABC), then the administrators of both the tenancies must create IAM policies as below.

  1. Setup instance principal and dynamic group in the source tenancy (VendorA):

    Instance principals capability lets you make service calls from an instance. OCI compute instances are authorized to interact with OCI APIs by creating a dynamic group of the compute instances and a policy that authorizes what operations the instances can perform.

    Create a dynamic group, for example oci_la_dg, to authorize the instances in the compartments with the permissions defined in the policies.

    Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaabcd',instance.compartment.id = 'ocid1.compartment.oc1..aaaaadef'}
  2. Create policy in the source tenancy (VendorA):

    Define tenancy CompanyABC as ocid1.tenancy.oc1..aaaaaaaaabc
    Endorse dynamic-group oci_la_dg to manage loganalytics-features-family in tenancy CompanyABC
    Endorse dynamic-group oci_la_dg to manage loganalytics-resources-family in tenancy CompanyABC
    Endorse dynamic-group oci_la_dg to manage management-dashboard-family in tenancy CompanyABC
    Endorse dynamic-group oci_la_dg to read compartments in tenancy CompanyABC
  3. Create policy in the destination tenancy (CompanyABC):

    Define tenancy VendorA as ocid1.tenancy.oc1..aaaaavendora
    Define dynamic-group oci_la_dg as ocid1.dynamicgroup.oc1..aaaaaaaavendora
    Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-features-family in tenancy
    Admit dynamic-group oci_la_dg of tenancy VendorA to manage loganalytics-resources-family in tenancy
    Admit dynamic-group oci_la_dg of tenancy VendorA to manage management-dashboard-family in tenancy 
    Admit dynamic-group oci_la_dg of tenancy VendorA to read compartments in tenancy
  4. Verify that you can now run Logging Analytics APIs from the instances that were given permissions.

For information on Endorse, Admit, and Define statements, see Object Storage Documentation. In addition to dynamic groups, these statements can be applied for groups too.