4.3.5.2 Access Object Storage with Resource Principals

Resource principals allow you to authenticate and access Oracle Cloud Infrastructure (OCI) Object Storage resources.

You require the appropriate privileges for Resource Principals to do the following:

Load structured data using Lakehouse Auto Parallel Load and manually with resource principals.
Load structured data using Lakehouse Auto Parallel Load and manually with uniform resource identifiers (URI).
Export Query Results to Object Storage (as of MySQL 9.1.1-u1)

Before You Begin

Review the following:

Resource Principal Privileges

To use resource principals to access Object Storage resources in OCI, you need to properly set up dynamic groups and policies.

Dynamic groups allow you to group DB Systems as principal actors, similar to user groups. You can then create policies to permit DB Systems in these groups to make API calls against services, such as Object Storage. Membership in the group is determined by a set of criteria called matching rules.

Policies define what your groups can and cannot do. For MySQL HeatWave Lakehouse to access Object Storage, you must define a policy which grants the dynamic group's resources access to buckets and their contents in a specific compartment.

To set up resource principals when you have multiple identity domains, add the identity domain associated with the dynamic group as a prefix. To set up resource principals when the DB System is located in a child compartment, provide the OCI ID of the child compartment associated with the DB System.

The following steps show how to set up a dynamic group for all DB Systems in a defined compartment.

Create a new dynamic group or update a dynamic group's matching rules, and the following matching rule to include all MySQL HeatWave DB systems in the defined compartment:
```
ALL{resource.type = 'mysqldbsystem', resource.compartment.id = 'ocid1.compartment.oc1..AlphanumericString'}
```
Create the policies as needed for the dynamic group.
To create a policy to allow access to load structured data using Lakehouse Auto Parallel Load or manually to Lakehouse with resource principals, add the following policies for the dynamic group:
```
allow dynamic-group IdentityDomainName/GroupName to read buckets in compartment CompartmentName
allow dynamic-group IdentityDomainName/GroupName to read objects in compartment CompartmentName
```
To create a policy to allow access to export query results to object storage, add the following policies for the dynamic group:
```
allow dynamic-group IdentityDomainName/GroupName to read buckets in compartment CompartmentName
allow dynamic-group IdentityDomainName/GroupName to manage objects in compartment CompartmentName 
where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT', request.permission='OBJECT_DELETE'}
```
Replace the following:
- IdentityDomainName: the identity domain name.
  Note
  If the dynamic group belongs to the default identity domain, you can omit specifying the identity domain name.
- GroupName: the dynamic group name
- CompartmentID: the compartment ID of the DB system

To learn more, see the following:

Resource Principals (Refer to the sections Defining a Policy for MySQL HeatWave Lakehouse and Defining a Policy for Exporting Query Results to Object Storage)
Writing Matching Rules to Define Dynamic Groups

Once you gain the appropriate privileges for resource principals, see the following information on loading data or see Export Query Results to Object Storage.

What's Next

Learn how to load structured data using Lakehouse Auto Parallel Load. Review resource principals examples.
Learn how to load data manually. Review resource principals examples.
To review the syntax for loading structured data using Lakehouse Auto Parallel Load, see Auto Parallel Load Syntax and Lakehouse External Table Syntax.