Oracle Cloud Infrastructure Documentation

Policies for MySQL HeatWave DB System

Shows how to allow Disaster Recovery (DR) to manage MySQL DB System that is part of the application stack.

Policies to configure using resource principal


Allow dynamic-group <Dynamic_group_Name> to manage mysql-family in comparment <>

Policies to configure using user authentication:

Policies for MySQL DB System

Configure policies to allow Disaster Recovery (DR) to manage MySQL resource family.
Allow group <group name> to manage mysql-family in compartment
    <compartment_name>
Policies for Vault-Secret

Configure IAM policies to grant read access to the vault secret used in MySQL DB System disaster recovery (DR) operations, enabling authorized resource principals to retrieve the secret as needed.

Create a Dynamic Group

Before creating the policy, ensure that you have defined a dynamic group for the resources that require access to the Vault secret. For example, to grant all instances within a specific compartment access to the secret, you can use the following policy syntax:

ALL {resource.type='computecontainerinstance', resource.compartment.id =
      'ocid1.compartment.oc1..<compartment_ocid>'}

Replace <compartment_ocid> with the actual OCID of your compartment.

Policies for Object Storage

Define the Policy

Create a policy that grants the dynamic group permission to read secrets from the Vault and upload logs to Object Storage Bucket during execution. Use the read verb with the secret-family resource type. The policy syntax is: 

Allow dynamic-group <dynamic-group-name> to manage object-family in compartment
      <compartment-name>

Allow dynamic-group <dynamic-group-name> to read secret-family in compartment <compartment-name>

In the above example:

<dynamic-group-name>: The name of your dynamic group.
<compartment-name>: The name of the compartment where the secret resides.

Example Policy

If your dynamic group is named InstanceSecretReaders and your secrets are stored in the compartment MySecretsCompartment then the policy statement would be: 

Allow dynamic-group InstanceSecretReaders to read secret-family in compartment MySecretsCompartment

This policy allows any resource that is a member of the InstanceSecretReaders dynamic group to read the secrets stored in the MySecretsCompartment compartment through OCI Vault.