Service Mesh IAM Policies

Create Identity and Access Management (IAM) policies to control who has access to Oracle Cloud Infrastructure Service Mesh resources and what type of access granted.

By default, only users in the Administrators group have access to all Service Mesh resources. For other users, you must give them access.

Note

Service Mesh access policies differ from IAM policies:
  • IAM policies define which groups and users can access which OCI resources, including service mesh resources. Example:
    • Who can create a service mesh?
    • Who can manage the virtual deployments in a certain compartment?
  • Service Mesh access policies define which services in a service mesh can talk to each other and in which direction. Example:
    • Which virtual services can talk to virtual service A?
    • Which services can virtual service B talk to?

To learn more about IAM policies, see:

Resource-Types

To give users access to Service Mesh resources, create IAM policies with Service Mesh resource types.

For access to all Service Mesh resources, use the aggregate resource type:

  • service-mesh-family

Example:

allow group MeshManagers to manage service-mesh-family in compartment B

service-mesh-family includes the following individual resource types:

  • service-meshes
  • mesh-virtual-services
  • mesh-virtual-service-route-tables
  • mesh-virtual-deployments
  • mesh-ingress-gateways
  • mesh-ingress-gateway-route-tables
  • mesh-access-policies
  • mesh-work-requests

If service-mesh-family has a resource type that you don't want users to access, then create policies with individual resource types.

For example, to allow a group of users to manage Service Mesh access policies, without allowing them to create the service meshes, write:

allow group MeshUsers to manage mesh-access-policies in compartment B

Details for Verb + Resource-Type Combinations

This topic lists the permissions and API operations for each of the Service Mesh resource types.

Four verbs define the permissions and API operations for Oracle Cloud Infrastructure resources:
  • inspect
  • read
  • use
  • manage

The level of access is cumulative as you go from inspect to read to use to manage.

For example, users with a read permission to service-mesh-family, can perform read and inspect operations, but are not allowed use and manage operations.

To review the permissions and operations, expand each resource type in this topic.

service-meshes

This table lists the permissions and the APIs for the service-meshes resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group MeshReaders to read service-meshes in compartment B
With this policy, users in the MeshReaders group can perform both inspect and read operations:
  • Allowed operation for inspect: ListMeshes, list the service-meshes in compartment B.
  • Allowed operation for read: GetMesh, get details for a specific service mesh in compartment B.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect SERVICE_MESH_LIST ListMeshes none
read

inspect +

SERVICE_MESH_READ

inspect+

GetMesh

none
use

read +

SERVICE_MESH_UPDATE

SERVICE_MESH_ATTACH(1)

SERVICE_MESH_DETACH(1)

read+

UpdateMesh

none
manage

use +

SERVICE_MESH_CREATE

SERVICE_MESH_DELETE

SERVICE_MESH_MOVE

use+

CreateMesh

DeleteMesh

ChangeMeshCompartment

none

(1) SERVICE_MESH_ATTACH allows you to create and attach child objects (virtual service, access policy, and so on) to a particular parent mesh. SERVICE_MESH_DELETE allows the deletion of child objects.

mesh-virtual-services

This table lists the permissions and the APIs for the mesh-virtual-services resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group VirtualServiceUsers to use mesh-virtual-services in compartment B
With this policy, users in the VirtualServiceReaders group can perform inspect, read, and use operations:
  • Allowed operation for inspect: ListVirtualService, list the virtual services in specified mesh.
  • Allowed operation for read: GetVirtualService, get details for a specific virtual service.
  • Allowed operation for use: UpdateVirtualService, update the details of a specific virtual service.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_VIRTUAL​_SERVICE_LIST ListVirtualService none
read

inspect +

MESH_VIRTUAL​_SERVICE_READ

inspect+

GetVirtualService

none
use

read +

MESH_VIRTUAL​_SERVICE_UPDATE

MESH_VIRTUAL​_SERVICE_ATTACH

MESH_VIRTUAL​_SERVICE_DETACH

read+

UpdateVirtualService

none
manage

use +

MESH_VIRTUAL​_SERVICE_CREATE

MESH_VIRTUAL​_SERVICE_DELETE

MESH_VIRTUAL​_SERVICE_MOVE

use+

ChangeVirtual​ServiceCompartment

CreateVirtualService (also needs use meshes to perform MESH_ATTACH.)

DeleteVirtualService (also needs use meshes to perform MESH_DETACH.)

mesh-virtual-service-route-tables

This table lists the permissions and the APIs for the mesh-virtual-service-route-tables resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group VirtualServiceManagers to manage mesh-virtual-service-route-tables in compartment B
With this policy, users in the VirtualServiceReaders group can perform inspect, read, use, and manage, operations:
  • Allowed operation for inspect: ListVirtualServiceRouteTable, list the virtual service route tables specified in a virtual service.
  • Allowed operation for read: GetVirtualServiceRouteTable, get details for a specific virtual service route table.
  • Allows operations for manage: UpdateVirtualServiceRouteTable, update the details of a specific virtual service route table. ChangeVirtualServiceRouteTableCompartment, change the compartment for a specific virtual service route table.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_LIST ListVirtualService​RouteTable none
read

inspect +

MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_READ

inspect+

GetVirtualService​RouteTable

none
use

no extra

no extra

none
manage

use +

MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_CREATE

MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_DELETE

MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_UPDATE

MESH_VIRTUAL_SERVICE​_ROUTE_TABLE_MOVE

use+

UpdateVirtualService​RouteTable

ChangeVirtualService​RouteTableCompartment

CreateVirtualService​RouteTable (also needs use mesh-virtual-services to perform MESH_VIRTUAL​_SERVICE_ATTACH.)

DeleteVirtualService​RouteTable(also needs use mesh-virtual-services to perform MESH_VIRTUAL​_SERVICE_DETACH.)

mesh-virtual-deployments

This table lists the permissions and the APIs for the mesh-virtual-deployments resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group VirtualDeploymentsReaders to read mesh-virtual-deployments in compartment B
With this policy, users in the VirtualDeployementReaders group can perform both inspect and read operations:
  • Allowed operation for inspect: ListVirtualDeployment, list the virtual deployments in specified virtual service.
  • Allowed operation for read: GetVirtualDeployment, get details for a specific virtual deployment.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_VIRTUAL​_DEPLOYMENT_LIST ListVirtualDeployment none
read

inspect +

MESH_VIRTUAL​_DEPLOYMENT_READ

MESH_VIRTUAL_DEPLOYMENT​_PROXY_CONFIG_READ(1)

MESH_PROXY_DETAILS_READ

inspect+

GetVirtualDeployment

none
use

read +

MESH_VIRTUAL_​DEPLOYMENT_UPDATE

read+

UpdateVirtualDeployment

none
manage

use +

MESH_VIRTUAL_​DEPLOYMENT_CREATE

MESH_VIRTUAL_​DEPLOYMENT_DELETE

MESH_VIRTUAL_​DEPLOYMENT_MOVE

use+

ChangeVirtual​DeploymentCompartment

CreateVirtualDeployment (also needs use mesh-virtual-services to perform MESH_VIRTUAL​_SERVICE_ATTACH.)

DeleteVirtualDeployment (also needs use mesh-virtual-services to perform MESH_VIRTUAL​_SERVICE_DETACH.)

(1) MESH_VIRTUAL_DEPLOYMENT_PROXY_CONFIG_READ This permission allows the proxy to fetch bootstrap configuration from the metadata service at startup.

mesh-ingress-gateways

This table lists the permissions and the APIs for the mesh-ingress-gateways resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group IngressGatewayUsers to use mesh-ingress-gateways in compartment B
With this policy, users in the IngressGatewayUsers group can perform inspect, read, and use operations:
  • Allowed operation for inspect: ListIngressGateways, list the ingress gateways in compartment B.
  • Allowed operation for read: GetIngressGateway, get details for a specific ingress gateway in compartment B and GetIngressGatewayProxyBootstrapConfig.
  • Allowed operation for use: UpdateIngressGateway, update the details of a specific ingress gateway.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_INGRESS​_GATEWAY_LIST ListIngressGateways none
read

inspect +

MESH_INGRESS​_GATEWAY_READ

MESH_INGRESS_GATEWAY​_PROXY_CONFIG_READ(1)

MESH_PROXY_DETAILS_READ

inspect+

GetIngressGateway

GetIngressGateway​ProxyBootstrapConfig

none
use

read +

MESH_INGRESS​_GATEWAY_UPDATE

MESH_INGRESS​_GATEWAY_ATTACH

MESH_INGRESS​_GATEWAY_DETACH

read+

UpdateIngressGateway

none
manage

use +

MESH_INGRESS​_GATEWAY_CREATE

MESH_INGRESS​_GATEWAY_DELETE

MESH_INGRESS​_GATEWAY_MOVE

use+

ChangeIngress​GatewayCompartment

CreateIngressGateway (also needs use meshes to perform MESH_ATTACH.)

DeleteIngressGateway (also needs use meshes to perform MESH_DETACH.)

(1) MESH_INGRESS_GATEWAY_PROXY_CONFIG_READ This permission allows the proxy to fetch bootstrap configuration from the metadata service at startup.

mesh-ingress-gateways-route-tables

This table lists the permissions and the APIs for the mesh-ingress-gateways-route-tables resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group IngressGatewayManagers to manage mesh-ingress-gateway-route-tables in compartment B
With this policy, users in the IngressGatewayReaders group perform inspect, read, use, and manage, operations:
  • Allowed operation for inspect: ListIngressGatewayRouteTables, list the ingress gateway route tables for a specific ingress gateway.
  • Allowed operation for read: GetIngressGatewayRouteTable, get details for a specific ingress gateway route table.
  • Allows operations for manage: UpdateIngressGatewayRouteTable, update the details of a specific ingress gateway route table. ChangeIngressGatewayRouteTableCompartment, change the compartment for a specific ingress gateway route table.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_INGRESS_GATEWAY​_ROUTE_TABLE_LIST ListIngressGateway​RouteTables none
read

inspect +

MESH_INGRESS_GATEWAY​_ROUTE_TABLE_READ

inspect+

GetIngressGateway​RouteTable

none
use

no extra

no extra

none
manage

use +

MESH_INGRESS_GATEWAY​_ROUTE_TABLE_CREATE

MESH_INGRESS_GATEWAY​_ROUTE_TABLE_DELETE

MESH_INGRESS_GATEWAY​_ROUTE_TABLE_UPDATE

MESH_INGRESS_GATEWAY​_ROUTE_TABLE_MOVE

use+

UpdateIngressGateway​RouteTable

ChangeIngressGateway​RouteTableCompartment

CreateIngress​GatewayRouteTable (also needs use mesh-ingress-gateways to perform MESH_INGRESS​_GATEWAY_ATTACH.)

DeleteIngress​GatewayRouteTable (also needs use mesh-ingress-gateways to perform MESH_INGRESS​_GATEWAY_DETACH.)

mesh-work-requests

This table lists the permissions and the APIs that are fully covered by the mesh-work-requests resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group WorkRequestReaders to read mesh-work-requests in compartment B
With this policy, users in the WorkRequestReaders group can perform both inspect and read operations:
  • Allowed operation for inspect: ListWorkRequests, list the work requests in specified compartment.
  • Allowed operation for read: GetWorkRequest, get details for a specific work request in compartment B, ListWorkRequestErrors, and ListWorkRequestLogs.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_WORK​_REQUEST_LIST ListWorkRequests none
read

inspect +

MESH_WORK​_REQUEST_READ

inspect+

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none
use

no extra

no extra

none
manage

no extra

no extra

none

mesh-access-policies

This table lists the permissions and the APIs for the mesh-access-policies resource.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

Example:
allow group AccessPolicyReaders to read mesh-access-policies in compartment B
With this policy, users in the AccessPolicyReaders group can perform both inspect and read operations:
  • Allowed operation for inspect: ListAccessPolicies, list the access policies in compartment B.
  • Allowed operation for read: GetAccessPolicy, get details for a specific access policy.
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect MESH_ACCESS​_POLICY_LIST ListAccessPolicies none
read

inspect +

MESH_ACCESS​_POLICY_READ

inspect+

GetAccessPolicy

none
use no extra

read+

none
manage

use +

MESH_ACCESS​_POLICY_CREATE

MESH_ACCESS​_POLICY_DELETE

MESH_ACCESS​_POLICY_UPDATE

MESH_ACCESS​_POLICY_MOVE

use+

UpdateAccessPolicy

ChangeAccess​PolicyCompartment

CreateAccessPolicy (also needs use meshes to perform MESH_ATTACH.)

DeleteAccessPolicy (also needs use meshes to perform MESH_DETACH.)

Permissions Required for Each API Operation

The following table lists the Service Mesh API operations in a logical order, grouped by resource type.

For more information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
CreateMesh SERVICE_MESH_CREATE
GetMesh SERVICE_MESH_READ
UpdateMesh SERVICE_MESH_UPDATE
DeleteMesh SERVICE_MESH_DELETE
ListMeshes SERVICE_MESH_LIST
ChangeMeshCompartment SERVICE_MESH_MOVE
CreateVirtualService MESH_VIRTUAL_SERVICE​_CREATE & MESH_ATTACH
GetVirtualService MESH_VIRTUAL_SERVICE​_READ
UpdateVirtualService MESH_VIRTUAL_SERVICE​_UPDATE
DeleteVirtualService MESH_VIRTUAL_SERVICE​_DELETE & MESH_DETACH
ListVirtualService MESH_VIRTUAL_SERVICE​_LIST
ChangeVirtualServiceCompartment MESH_VIRTUAL_SERVICE​_MOVE
GetWorkRequest MESH_WORK_REQUEST​_READ
ListWorkRequests MESH_WORK_REQUEST​_LIST
ListWorkRequestErrors MESH_WORK_REQUEST​_READ
ListWorkRequestLogs MESH_WORK_REQUEST​_READ
CreateAccessPolicy MESH_ACCESS_POLICY​_CREATE & MESH_ATTACH
GetAccessPolicy MESH_ACCESS_POLICY​_READ
UpdateAccessPolicy MESH_ACCESS_POLICY​_UPDATE
DeleteAccessPolicy MESH_ACCESS_POLICY​_DELETE & MESH_DETACH
ListAccessPolicies MESH_ACCESS_POLICY​_LIST
ChangeAccessPolicyCompartment MESH_ACCESS_POLICY​_MOVE
CreateVirtualDeployment MESH_VIRTUAL_DEPLOYMENT​_CREATE & MESH_VIRTUAL_SERVICE​_ATTACH
GetVirtualDeployment MESH_VIRTUAL_DEPLOYMENT​_READ
UpdateVirtualDeployment MESH_VIRTUAL_DEPLOYMENT​_UPDATE
DeleteVirtualDeployment MESH_VIRTUAL_DEPLOYMENT​_DELETE & MESH_VIRTUAL_SERVICE​_DETACH
ListVirtualDeployment MESH_VIRTUAL_DEPLOYMENT​_LIST
ChangeVirtual​DeploymentCompartment MESH_VIRTUAL_DEPLOYMENT​_MOVE
CreateVirtual​ServiceRouteTable MESH_VIRTUAL_SERVICE_ROUTE​_TABLE_CREATE & MESH_VIRTUAL_SERVICE​_ATTACH
GetVirtualService​RouteTable MESH_VIRTUAL_SERVICE_ROUTE​_TABLE_READ
UpdateVirtual​ServiceRouteTable MESH_VIRTUAL_SERVICE​_ROUTE_TABLE _UPDATE
DeleteVirtualServiceRouteTable MESH_VIRTUAL_SERVICE_ROUTE​_TABLE_DELETE & MESH_VIRTUAL_SERVICE​_DETACH
ListVirtualService​RouteTable MESH_VIRTUAL_SERVICE_ROUTE​_TABLE_LIST
ChangeVirtualService​RouteTableCompartment MESH_VIRTUAL_SERVICE_ROUTE​_TABLE_MOVE
CreateIngressGateway MESH_INGRESS_GATEWAY​_CREATE & MESH_ATTACH
GetIngressGateway MESH_INGRESS_GATEWAY​_READ
UpdateIngressGateway MESH_INGRESS_GATEWAY​_UPDATE
DeleteIngressGateway MESH_INGRESS_GATEWAY​_DELETE & MESH_DETACH
ListIngressGateways MESH_INGRESS_GATEWAY​_LIST
ChangeIngress​GatewayCompartment MESH_INGRESS_GATEWAY​_MOVE
CreateIngress​GatewayRouteTable MESH_INGRESS_GATEWAY_ROUTE​_TABLE_CREATE & MESH_INGRESS_GATEWAY​_ATTACH
GetIngressGateway​RouteTable MESH_INGRESS_GATEWAY_ROUTE​_TABLE_READ
UpdateIngress​GatewayRouteTable MESH_INGRESS_GATEWAY_ROUTE​_TABLE_UPDATE
DeleteIngress​GatewayRouteTable MESH_INGRESS_GATEWAY_ROUTE​_TABLE_DELETE & MESH_INGRESS_GATEWAY​_DETACH
ListIngressGatewayRouteTables MESH_INGRESS_GATEWAY_ROUTE​_TABLE_LIST
ChangeIngressGateway​RouteTableCompartment MESH_INGRESS_GATEWAY_ROUTE​_TABLE_MOVE
GetVirtualDeployment​ProxyBootstrapConfig MESH_VIRTUAL_DEPLOYMENT_PROXY​_CONFIG_READ
GetIngressGateway​ProxyBootstrapConfig MESH_INGRESS_GATEWAY_PROXY​_CONFIG_READ
GetProxyVersion MESH_PROXY_DETAILS_READ
StreamXDS MESH_VIRTUAL_DEPLOYMENT_PROXY​_CONFIG_READ | MESH_INGRESS_GATEWAY_PROXY​_CONFIG_READ

Supported Variables

Service Mesh supports all the general variables, plus the ones listed here.

For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.

Variable Variable Type
target.mesh.id OCID
target.ingressgateway.id OCID
target.virtualservice.id OCID

Policy Examples

Learn about Service Mesh IAM policies using examples.

  • Allow users in the group MeshAdmins to perform all operations against all Service Mesh resources in compartment sales-app:

    allow group MeshAdmins to manage service-mesh-family in compartment sales-app
  • Allows the VirtualServiceManagers group to perform administrative operations against mesh virtual services, including creating, deleting, and updating virtual service route tables:

    allow group VirtualServiceManagers to use meshes in compartment sales-app
    allow group VirtualServiceManagers to manage mesh-virtual-services in compartment sales-app
    allow group VirtualServiceManagers to manage mesh-virtual-service-route-tables in compartment sales-app