Bastion IAM Policies

Individual Resource-Types

bastion

bastion-session

Aggregate Resource-Type

bastion-family

A policy that uses <verb> bastion-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual bastion resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in bastion-family.

Supported Variables

Bastion supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see Details for Verb + Resource-Type Combinations.


Variable	Variable Type	Comments
`target.bastion.ocid`	Entity (OCID)	Use this variable to control whether to allow operations against a specific bastion in response to a request to read, update, delete, or move a bastion, to view information related to work requests for a bastion, or to create a session on a bastion.
`target.bastion.name`	String	Use this variable to control whether to allow operations against a specific bastion in response to a request to read, update, delete, or move a bastion, to view information related to work requests for a bastion, or to create a session on a bastion.
`target.bastion-session.username`	String	Use this variable to target a specific operating system user name when creating a session that connects to a Compute instance.
`target.resource.ocid`	Entity (OCID)	Use this variable to target a specific Compute instance by its Oracle Cloud Identifier (OCID) when creating a session.

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

For example, the read verb for the bastion resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetBastion API operation. Likewise, the manage verb for the bastion resource-type allows even more permissions when compared to the use permission. For the bastion resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the BASTION_CREATE, BASTION_UPDATE, BASTION_DELETE, and BASTION_MOVE permissions and a number of API operations (CreateBastion, UpdateBastion, DeleteBastion, and ChangeBastionCompartment).

bastion


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	BASTION_INSPECT	`ListBastions`	none
read	INSPECT + BASTION_READ	INSPECT + `GetBastion`	`ListSessions` (also needs `inspect session`)
use	READ + BASTION_USE	no extra	`CreateSession` (also needs `manage session`, `read instances`, `read subnets`, and `read vcns`) `UpdateSession` (also needs `manage session`) `DeleteSession` (also needs `manage session`)
manage	USE + BASTION_CREATE BASTION_UPDATE BASTION_DELETE BASTION_MOVE	USE + `UpdateBastion` `ChangeBastionCompartment`	`CreateBastion` (also needs `manage vcns`, `manage subnets`, `manage route-tables`, `manage security-lists`, `manage dhcp-options`, `use network-security-groups`, and `use vnics`) `DeleteBastion` (also needs `manage vcns`, `use private-ips`, `use vnics`, `use subnets`, and `use network-security-groups`)

session


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	BASTION_SESSION_INSPECT	none	`ListSessions` (also needs `read bastion`)
read	INSPECT + BASTION_SESSION_READ	INSPECT + `GetSession`	none
use	READ + BASTION_SESSION_UPDATE	READ + no extra	`UpdateSession` (also needs `use bastion`)
manage	USE + BASTION_SESSION_CREATE BASTION_SESSION_DELETE	USE + no extra	`CreateSession` (also needs `use bastion`, `read instances`, `read subnets`, and `read vcns`)

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListBastions`	BASTION_INSPECT
`GetBastion`	BASTION_READ
`CreateBastion`	BASTION_CREATE and VCN_CREATE
`UpdateBastion`	BASTION_UPDATE
`DeleteBastion`	BASTION_DELETE and VCN_DELETE
`ChangeBastionCompartment`	BASTION_MOVE
`CreateSession`	BASTION_USE, INSTANCE_READ, INSTANCE_INSPECT, VCN_READ, VNIC_ATTACHMENT_READ, VNIC_READ, BASTION_SESSION_CREATE, SUBNET_READ, and INSTANCE_AGENT_PLUGIN_READ Note: INSTANCE_AGENT_PLUGIN_READ is required only for Managed SSH sessions.
`GetSession`	BASTION_SESSION_READ
`ListSessions`	BASTION_READ and BASTION_SESSION_INSPECT
`UpdateSession`	BASTION_USE and BASTION_SESSION_UPDATE
`DeleteSession`	BASTION_USE and BASTION_SESSION_DELETE

Policy Examples

Learn about Bastion IAM policies from examples.

To create a bastion or session, users require the following permissions for other Oracle Cloud Infrastructure resources:

Manage networks
Read compute instances
Read compute instance agent (Oracle Cloud Agent) plugins
Inspect work requests

To learn more, see Policy Details for the Core Services.

Bastion policy examples:

Allow users in the group SecurityAdmins to create, update, and delete all Bastion resources in the entire tenancy:

Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy

Allow users in the group BastionUsers to create, connect to, and terminate sessions in the entire tenancy:

Allow group BastionUsers to use bastions in tenancy
Allow group BastionUsers to read instances in tenancy
Allow group BastionUsers to read vcn in tenancy
Allow group BastionUsers to manage bastion-session in tenancy
Allow group BastionUsers to read subnets in tenancy
Allow group BastionUsers to read instance-agent-plugins in tenancy
Allow group BastionUsers to read vnic-attachments in tenancy
Allow group BastionUsers to read vnics in tenancy

Allow users in the group BastionUsers to create, connect to, and terminate sessions in the compartment SalesApps:

Allow group BastionUsers to use bastion in compartment SalesApps
Allow group BastionUsers to read instances in compartment SalesApps
Allow group BastionUsers to read vcn in compartment SalesApps
Allow group BastionUsers to manage bastion-session in compartment SalesApps
Allow group BastionUsers to read subnets in compartment SalesApps
Allow group BastionUsers to read instance-agent-plugins in compartment SalesApps
Allow group BastionUsers to read vnic-attachments in compartment SalesApps
Allow group BastionUsers to read vnics in compartment SalesApps

The example assumes that the networks and compute instances are in the same compartment as the bastion.

Allow users in the group SalesAdmins to create, connect to, and terminate sessions for a specific target host in the compartment SalesApps:

Allow group SalesAdmins to use bastion in compartment SalesApps
Allow group BastionUsers to read instances in compartment SalesApps
Allow group BastionUsers to read vcn in compartment SalesApps
Allow group SalesAdmins to manage bastion-session in compartment SalesApps where ALL {target.resource.ocid='<instance_OCID>', target.bastion-session.username='<session_username>'}
Allow group SalesAdmins to read subnets in compartment SalesApps
Allow group SalesAdmins to read instance-agent-plugins in compartment SalesApps
Allow group BastionUsers to read vnic-attachments in compartment SalesApps
Allow group BastionUsers to read vnics in compartment SalesApps

<session_username> is the specific operating system user name when creating a session on the Compute instance.