Service Mesh IAM Policies
Create Identity and Access Management (IAM) policies to control who has access to Oracle Cloud Infrastructure Service Mesh resources and what type of access granted.
By default, only users in the Administrators
group have access to all Service Mesh resources. For other users, you must give them access.
Service Mesh access policies differ from IAM policies:
- IAM policies define which groups and users can access which OCI
resources, including service mesh resources. Example:
- Who can create a service mesh?
- Who can manage the virtual deployments in a certain compartment?
- Service Mesh access policies define which services in a service mesh can
talk to each other and in which direction. Example:
- Which virtual services can talk to virtual service A?
- Which services can virtual service B talk to?
To learn more about IAM policies, see:
- Getting Started with Policies
- Policy Reference, a list of all policies in Oracle Cloud Infrastructure.
Resource-Types
To give users access to Service Mesh resources, create IAM policies with Service Mesh resource types.
For access to all Service Mesh resources, use the aggregate resource type:
service-mesh-family
Example:
allow group MeshManagers to manage service-mesh-family in compartment B
service-mesh-family
includes the following individual resource
types:
service-meshes
mesh-virtual-services
mesh-virtual-service-route-tables
mesh-virtual-deployments
mesh-ingress-gateways
mesh-ingress-gateway-route-tables
mesh-access-policies
mesh-work-requests
If service-mesh-family
has a resource type that you don't want users to
access, then create policies with individual resource types.
For example, to allow a group of users to manage Service Mesh access policies, without allowing them to create the service meshes, write:
allow group MeshUsers to manage mesh-access-policies in compartment B
Details for Verb + Resource-Type Combinations
This topic lists the permissions and API operations for each of the Service Mesh resource types.
inspect
read
use
manage
The level of access is cumulative as you go from inspect
to
read
to use
to manage
.
For example, users with a read
permission to
service-mesh-family
, can perform read
and
inspect
operations, but are not allowed use
and
manage
operations.
To review the permissions and operations, expand each resource type in this topic.
service-meshes
This table lists the permissions and the APIs for the service-meshes
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group MeshReaders to read service-meshes in compartment B
With
this policy, users in the MeshReaders
group can perform both
inspect
and read
operations:- Allowed operation for
inspect
:ListMeshes
, list the service-meshes in compartment B. - Allowed operation for
read
:GetMesh
, get details for a specific service mesh in compartment B.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
SERVICE_MESH_LIST |
ListMeshes |
none |
read |
|
|
none |
use |
|
|
none |
manage |
|
|
none |
(1)
SERVICE_MESH_ATTACH
allows you to create and attach child objects
(virtual service, access policy, and so on) to a particular parent mesh.
SERVICE_MESH_DELETE
allows the deletion of child objects.
mesh-virtual-services
This table lists the permissions and the APIs for the
mesh-virtual-services
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group VirtualServiceUsers to use mesh-virtual-services in compartment B
With
this policy, users in the VirtualServiceReaders
group can perform
inspect
, read
, and use
operations:- Allowed operation for
inspect
:ListVirtualService
, list the virtual services in specified mesh. - Allowed operation for
read
:GetVirtualService
, get details for a specific virtual service. - Allowed operation for
use
:UpdateVirtualService
, update the details of a specific virtual service.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_VIRTUAL_SERVICE_LIST |
ListVirtualService |
none |
read |
|
|
none |
use |
|
|
none |
manage |
|
|
|
mesh-virtual-service-route-tables
This table lists the permissions and the APIs for the
mesh-virtual-service-route-tables
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group VirtualServiceManagers to manage mesh-virtual-service-route-tables in compartment B
With
this policy, users in the VirtualServiceReaders
group can perform
inspect
, read
, use
, and
manage
, operations:- Allowed operation for
inspect
:ListVirtualServiceRouteTable
, list the virtual service route tables specified in a virtual service. - Allowed operation for
read
:GetVirtualServiceRouteTable
, get details for a specific virtual service route table. - Allows operations for
manage
:UpdateVirtualServiceRouteTable
, update the details of a specific virtual service route table.ChangeVirtualServiceRouteTableCompartment
, change the compartment for a specific virtual service route table.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_LIST |
ListVirtualServiceRouteTable |
none |
read |
|
|
none |
use |
no extra |
no extra |
none |
manage |
|
|
|
mesh-virtual-deployments
This table lists the permissions and the APIs for the
mesh-virtual-deployments
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group VirtualDeploymentsReaders to read mesh-virtual-deployments in compartment B
With
this policy, users in the VirtualDeployementReaders
group can perform
both inspect
and read
operations:- Allowed operation for
inspect
:ListVirtualDeployment
, list the virtual deployments in specified virtual service. - Allowed operation for
read
:GetVirtualDeployment
, get details for a specific virtual deployment.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_VIRTUAL_DEPLOYMENT_LIST |
ListVirtualDeployment |
none |
read |
|
|
none |
use |
|
|
none |
manage |
|
|
|
(1)
MESH_VIRTUAL_DEPLOYMENT_PROXY_CONFIG_READ
This permission allows the
proxy to fetch bootstrap configuration from the metadata service at startup.
mesh-ingress-gateways
This table lists the permissions and the APIs for the
mesh-ingress-gateways
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group IngressGatewayUsers to use mesh-ingress-gateways in compartment B
With
this policy, users in the IngressGatewayUsers
group can perform
inspect
, read
, and use
operations:- Allowed operation for
inspect
:ListIngressGateways
, list the ingress gateways in compartment B. - Allowed operation for
read
:GetIngressGateway
, get details for a specific ingress gateway in compartment B andGetIngressGatewayProxyBootstrapConfig
. - Allowed operation for
use
:UpdateIngressGateway
, update the details of a specific ingress gateway.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_INGRESS_GATEWAY_LIST |
ListIngressGateways |
none |
read |
|
|
none |
use |
|
|
none |
manage |
|
|
|
(1)
MESH_INGRESS_GATEWAY_PROXY_CONFIG_READ
This permission allows the proxy
to fetch bootstrap configuration from the metadata service at startup.
mesh-ingress-gateways-route-tables
This table lists the permissions and the APIs for the
mesh-ingress-gateways-route-tables
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group IngressGatewayManagers to manage mesh-ingress-gateway-route-tables in compartment B
With
this policy, users in the IngressGatewayReaders
group perform
inspect
, read
, use
, and
manage
, operations:- Allowed operation for
inspect
:ListIngressGatewayRouteTables
, list the ingress gateway route tables for a specific ingress gateway. - Allowed operation for
read
:GetIngressGatewayRouteTable
, get details for a specific ingress gateway route table. - Allows operations for
manage
:UpdateIngressGatewayRouteTable
, update the details of a specific ingress gateway route table.ChangeIngressGatewayRouteTableCompartment
, change the compartment for a specific ingress gateway route table.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_LIST |
ListIngressGatewayRouteTables |
none |
read |
|
|
none |
use |
no extra |
no extra |
none |
manage |
|
|
|
mesh-work-requests
This table lists the permissions and the APIs that are fully covered by the
mesh-work-requests
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group WorkRequestReaders to read mesh-work-requests in compartment B
With
this policy, users in the WorkRequestReaders
group can perform both
inspect
and read
operations:- Allowed operation for
inspect
:ListWorkRequests
, list the work requests in specified compartment. - Allowed operation for
read
:GetWorkRequest
, get details for a specific work request in compartment B,ListWorkRequestErrors
, andListWorkRequestLogs
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_WORK_REQUEST_LIST |
ListWorkRequests |
none |
read |
|
|
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
mesh-access-policies
This table lists the permissions and the APIs for the
mesh-access-policies
resource.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell.
allow group AccessPolicyReaders to read mesh-access-policies in compartment B
With
this policy, users in the AccessPolicyReaders
group can perform both
inspect
and read
operations:- Allowed operation for
inspect
:ListAccessPolicies
, list the access policies in compartment B. - Allowed operation for
read
:GetAccessPolicy
, get details for a specific access policy.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
MESH_ACCESS_POLICY_LIST |
ListAccessPolicies |
none |
read |
|
|
none |
use |
no extra |
|
none |
manage |
|
|
|
Permissions Required for Each API Operation
The following table lists the Service Mesh API operations in a logical order, grouped by resource type.
For more information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
CreateMesh |
SERVICE_MESH_CREATE |
GetMesh |
SERVICE_MESH_READ |
UpdateMesh |
SERVICE_MESH_UPDATE |
DeleteMesh |
SERVICE_MESH_DELETE |
ListMeshes |
SERVICE_MESH_LIST |
ChangeMeshCompartment |
SERVICE_MESH_MOVE |
CreateVirtualService |
MESH_VIRTUAL_SERVICE_CREATE &
MESH_ATTACH |
GetVirtualService |
MESH_VIRTUAL_SERVICE_READ |
UpdateVirtualService |
MESH_VIRTUAL_SERVICE_UPDATE |
DeleteVirtualService |
MESH_VIRTUAL_SERVICE_DELETE &
MESH_DETACH |
ListVirtualService |
MESH_VIRTUAL_SERVICE_LIST |
ChangeVirtualServiceCompartment |
MESH_VIRTUAL_SERVICE_MOVE |
GetWorkRequest |
MESH_WORK_REQUEST_READ |
ListWorkRequests |
MESH_WORK_REQUEST_LIST |
ListWorkRequestErrors |
MESH_WORK_REQUEST_READ |
ListWorkRequestLogs |
MESH_WORK_REQUEST_READ |
CreateAccessPolicy |
MESH_ACCESS_POLICY_CREATE &
MESH_ATTACH |
GetAccessPolicy |
MESH_ACCESS_POLICY_READ |
UpdateAccessPolicy |
MESH_ACCESS_POLICY_UPDATE |
DeleteAccessPolicy |
MESH_ACCESS_POLICY_DELETE &
MESH_DETACH |
ListAccessPolicies |
MESH_ACCESS_POLICY_LIST |
ChangeAccessPolicyCompartment |
MESH_ACCESS_POLICY_MOVE |
CreateVirtualDeployment |
MESH_VIRTUAL_DEPLOYMENT_CREATE &
MESH_VIRTUAL_SERVICE_ATTACH |
GetVirtualDeployment |
MESH_VIRTUAL_DEPLOYMENT_READ |
UpdateVirtualDeployment |
MESH_VIRTUAL_DEPLOYMENT_UPDATE |
DeleteVirtualDeployment |
MESH_VIRTUAL_DEPLOYMENT_DELETE &
MESH_VIRTUAL_SERVICE_DETACH |
ListVirtualDeployment |
MESH_VIRTUAL_DEPLOYMENT_LIST |
ChangeVirtualDeploymentCompartment |
MESH_VIRTUAL_DEPLOYMENT_MOVE |
CreateVirtualServiceRouteTable |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_CREATE
& MESH_VIRTUAL_SERVICE_ATTACH
|
GetVirtualServiceRouteTable |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_READ |
UpdateVirtualServiceRouteTable |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE
_UPDATE |
DeleteVirtualServiceRouteTable |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_DELETE
&
MESH_VIRTUAL_SERVICE_DETACH |
ListVirtualServiceRouteTable |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_LIST |
ChangeVirtualServiceRouteTableCompartment |
MESH_VIRTUAL_SERVICE_ROUTE_TABLE_MOVE |
CreateIngressGateway |
MESH_INGRESS_GATEWAY_CREATE &
MESH_ATTACH |
GetIngressGateway |
MESH_INGRESS_GATEWAY_READ |
UpdateIngressGateway |
MESH_INGRESS_GATEWAY_UPDATE |
DeleteIngressGateway |
MESH_INGRESS_GATEWAY_DELETE &
MESH_DETACH |
ListIngressGateways |
MESH_INGRESS_GATEWAY_LIST |
ChangeIngressGatewayCompartment |
MESH_INGRESS_GATEWAY_MOVE |
CreateIngressGatewayRouteTable |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_CREATE
&
MESH_INGRESS_GATEWAY_ATTACH |
GetIngressGatewayRouteTable |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_READ |
UpdateIngressGatewayRouteTable |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_UPDATE |
DeleteIngressGatewayRouteTable |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_DELETE
&
MESH_INGRESS_GATEWAY_DETACH |
ListIngressGatewayRouteTables |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_LIST |
ChangeIngressGatewayRouteTableCompartment |
MESH_INGRESS_GATEWAY_ROUTE_TABLE_MOVE |
GetVirtualDeploymentProxyBootstrapConfig |
MESH_VIRTUAL_DEPLOYMENT_PROXY_CONFIG_READ |
GetIngressGatewayProxyBootstrapConfig |
MESH_INGRESS_GATEWAY_PROXY_CONFIG_READ |
GetProxyVersion |
MESH_PROXY_DETAILS_READ |
StreamXDS |
MESH_VIRTUAL_DEPLOYMENT_PROXY_CONFIG_READ
|
MESH_INGRESS_GATEWAY_PROXY_CONFIG_READ |
Supported Variables
Service Mesh supports all the general variables, plus the ones listed here.
For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.
Variable | Variable Type |
---|---|
target.mesh.id
|
OCID |
target.ingressgateway.id
|
OCID |
target.virtualservice.id
|
OCID |
Policy Examples
Learn about Service Mesh IAM policies using examples.
-
Allow users in the group
MeshAdmins
to perform all operations against all Service Mesh resources in compartmentsales-app
:allow group MeshAdmins to manage service-mesh-family in compartment sales-app
-
Allows the
VirtualServiceManagers
group to perform administrative operations against mesh virtual services, including creating, deleting, and updating virtual service route tables:allow group VirtualServiceManagers to use meshes in compartment sales-app allow group VirtualServiceManagers to manage mesh-virtual-services in compartment sales-app allow group VirtualServiceManagers to manage mesh-virtual-service-route-tables in compartment sales-app