OCI IAM

Posted on by

OCI Identity and Access Management

  1. IAM – enables to control what type of access a group of users have and to which specific
    resources
  2. Each OCI resource has unique OCID
  3. IAM uses traditional identity concepts – Principals, Users, Group, AuthN, AuthZ; New
    capability – Compartments
  4. Principals – IAM entity interact with OCI resources; IAM users and Instance Principals; User
    has no permissions until placed in groups; Group having at least one policy with permission
    to tenancy or compartment
  5. Group – collection of users; same user can be a member of multiple groups; Instance
    Principals – let instances to make API calls against other OCI services
  6. Authentication – Username and Password; API siging key; Auth Tokens (Don’t expire)
  7. Authorization – define specific privileges in policies and associating them with principals;
    policies cannot be attached to user; policies written in human readable format; Default deny
    all;

IAM Policies

  1. Policy Syntax: Allow to in where
  2. Verb: inspect(list), read(list+metadata), use(read+existing resource), manage(all permission)
  3. Resource Type: Aggregate Resource Type (all-resources, instance-family etc), Individual
    Resource Type(instances, databases etc)
  4. Verbs & Permissions – INSPECT & VOLUME INSPECT; USE & VOLUME_WRITE; MANAGE &
    VOLUME_CREATE -> API Operations
  5. Common Policies: Network Admins, InstanceLaunchers
  6. Advanced Policy Syntax: 2 types of variables added to conditions; request and target; Ex:
    request.operation, targets.group.name

IAM Compartments

  1. Organize and control access to resources
  2. Compartment Quotas similar to Service Limits but set by Admins using policies; 3 types of
    quota policies (set, unset, zero);
  3. Ex: zero compute quotas /bm/ in tenancy (zeroed out BM instance)
  4. Main Menu -> Governance -> Compartment Explorer -> List all resources in compartment

Policy Inheritance and Attachment

  1. Compartment inherit policies from parent compartments; policy created must be attached
    to a compartment/tenancy (B:C, A:B:C);
  2. Compartment move with all its contents; cannot have a same name; two compartment with
    same parent cannot have same name;
  3. Policy implications – compartment hierarchy down to the compartment being moved, to a
    shared ancestor of current and target parent; policy attached directly to a compartment
    moved is not automatically updated and is invalid;

IAM-Tags

  1. Tagging – Free Form Tags (Basic implementation, key/value) Ex: Env:Production,
    Project:Alpha; Defined Tags – more features and control;
    contained in tag Namespaces; Defined Schema, secured with policy; Ex: Namespace =
    Operations, Human Resources etc
  2. Tag Namespace – container for a set of tag keys with tag definitions; key/value pair;
    Namespace.Key = Value; Tag Namespace cannot be deleted but retired; reactivate to use
    again; must be setup in tenancy to start using; variable can be used for volume
  3. Ex: ${iam.principal.name} at ${oci.datetime}; Defined tags work with policies; Ex; use tagnamespaces

Leave a Reply

Your email address will not be published. Required fields are marked *