Create Policies to Control Access to Network and Function-Related Resources

Before users can start using Oracle Functions to create and deploy functions, as a tenancy administrator you have to create a number of Oracle Cloud Infrastructure policies to grant access to function-related and network resources. You have to:

See Details for Functions for more information about policies.

Tip

As an alternative to creating separate policies to grant access to network and function-related resources, you can create a single policy containing all the necessary policy statements. A quick way to create such a policy is to use the Policy Builder and select the policy template Let users create, deploy, and manage functions and applications using Cloud Shell. This policy template contains all the policy statements required to use Oracle Functions. See Writing Policy Statements with the Policy Builder.

Summary of Policies to Create for Oracle Functions

Policy to give: Where to create the policy: Statement: More information and examples:
Users access to repositories in Oracle Cloud Infrastructure Registry Root compartment Allow group <group-name> to manage repos in tenancy

Allow group <group-name> to read objectstorage-namespaces in tenancy

Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories
Users access to function-related resources Compartment that owns function-related resources Allow group <group-name> to manage functions-family in compartment <compartment-name>

Allow group <group-name> to read metrics in compartment <compartment-name>

Create a Policy to Give Oracle Functions Users Access to Function-Related Resources
Users access to logging resources Root compartment

Allow group <group-name> to manage logging-family in compartment <compartment-name>

Create a Policy to Give Oracle Functions Users Access to Logging Resources
Users access to network resources Compartment that owns network resources Allow group <group-name> to use virtual-network-family in compartment <compartment-name> Create a Policy to Give Oracle Functions Users Access to Network Resources
Users and the Oracle Functions service access to tracing resources Compartment that owns tracing resources, or the root compartment

Allow group <group-name> to use apm-domains in tenancy|compartment <compartment-name>

Allow service faas to use apm-domains in tenancy|compartment <compartment-name>

Create a Policy to Give Oracle Functions Users and the Oracle Functions Service Access to Tracing Resources

Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories

When Oracle Functions users work with functions, they have to access repositories in Oracle Cloud Infrastructure Registry. Users can only access repositories that the groups to which they belong have been granted access. To enable users to access a repository, you must create an identity policy to grant the groups access to that repository.

To create a policy to give Oracle Functions users access to repositories in Oracle Cloud Infrastructure Registry:

  1. Log in to the Console as a tenancy administrator and create a new policy in the root compartment:

    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-ocir-access).
  2. Specify a policy statement to enable the group to obtain the auto-generated Object Storage namespace string of the tenancy (required to log in to Oracle Cloud Infrastructure Registry):

    Allow group <group-name> to read objectstorage-namespaces in tenancy

    where <group-name> is the name of the group to which users using Oracle Functions belong.

    For example:

    Allow group acme-functions-developers to read objectstorage-namespaces in tenancy

    The above policy statement also provides access to function logs stored in a storage bucket in Oracle Cloud Infrastructure Object Storage (see Storing and Viewing Function Logs).

  3. Specify a policy statement to give the group access to repositories in Oracle Cloud Infrastructure Registry:

    Allow group <group-name> to manage repos in tenancy

    where <group-name> is the name of the group to which users using Oracle Functions belong.

    For example:

    Allow group acme-functions-developers to manage repos in tenancy

    The above policy statement gives the group permission to manage all repositories in the tenancy. If you consider this to be too permissive, then you can restrict the repositories to which the group has access by including a where clause in the manage repos statement. Note that if you do include a where clause, you must also include a second statement in the policy to enable the group to inspect all repositories in the tenancy (when using the Console).

    For example, the following policy statements restrict the group to accessing only repositories with names that start 'acme-web-app', but also enables the group to inspect all repositories in the tenancy:

    Allow group acme-functions-developers to inspect repos in tenancy
    Allow group acme-functions-developers to manage repos in tenancy where all {target.repo.name=/acme-web-app*/ }
    						
  4. Click Create.

Create a Policy to Give Oracle Functions Users Access to Function-Related Resources

When Oracle Functions users create functions and applications, they have to specify a compartment for those function-related resources (including for metrics emitted by Oracle Functions). Users can only specify a compartment that the groups to which they belong have been granted access. To enable users to specify a compartment, you must create an identity policy to grant the groups access to that compartment.

To create a policy to give Oracle Functions users access to function-related resources in the compartment that will own those resources:

  1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own Oracle Functions resources:
    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-access).
  2. Specify a policy statement to give the group access to all function-related resources in the compartment:

    Allow group <group-name> to manage functions-family in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to manage functions-family in compartment acme-functions-compartment
  3. Specify a second policy statement to give the group access to metrics emitted by Oracle Functions:

    Allow group <group-name> to read metrics in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to read metrics in compartment acme-functions-compartment
  4. Click Create.

Create a Policy to Give Oracle Functions Users Access to Logging Resources

When Oracle Functions users define an application, they can enable logging to store and view function logs in the Oracle Cloud Infrastructure Logging service. Users can only view logs that the groups to which they belong have been granted access. To enable users to store and view function logs in the Oracle Cloud Infrastructure Logging service, you must create an identity policy to grant the groups access to logging resources.

To create a policy to enable Oracle Functions users to store and view function logs in the Oracle Cloud Infrastructure Logging service:

  1. Log in to the Console as a tenancy administrator and create a new policy in the tenancy:
    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-logging-access).
  2. Specify a policy statement to give the group full access to logging resources in the compartment that will own logging resources:

    Allow group <group-name> to manage logging-family in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to manage logging-family in compartment acme-functions-compartment
  3. Click Create.

Create a Policy to Give Oracle Functions Users Access to Network Resources

When Oracle Functions users create a function or application, they have to specify a VCN and a subnet in which to create them. Users can only specify VCNs and subnets in compartments that the groups to which they belong have been granted access. To enable users to specify a VCN and subnet, you must create an identity policy to grant the groups access to the compartment.

To create a policy to give Oracle Functions users access to network resources:

  1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own network resources:
    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-network-access).
  2. Specify a policy statement to give the group access to the network resources in the compartment:

    Allow group <group-name> to use virtual-network-family in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to use virtual-network-family in compartment acme-network
  3. Click Create.

Create a Policy to Give Oracle Functions Users and the Oracle Functions Service Access to Tracing Resources

When Oracle Functions users want to investigate why a function doesn't run or perform as expected, they can use tracing to debug execution and performance issues. To use tracing, users have to enable tracing for the application containing the function, and then enable tracing for one or more functions. Users can then view function traces in the Application Performance Monitoring (APM) Trace Explorer. For more information, see Distributed Tracing for Functions.

Users can only enable tracing if the group to which they belong can access existing APM domains (or create new APM domains), and if Oracle Functions can access APM domains. To enable users to turn on tracing and view traces, you must create an identity policy to grant the group and Oracle Functions access to APM domains.

To create a policy to give users and Oracle Functions access to APM domains:

  1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own the APM domains:
    1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-tracing-access).
  2. Specify a policy statement to give the group access to APM domains in the compartment or in the entire tenancy:

    Allow group <group-name> to use apm-domains in compartment <compartment-name>
    Allow group <group-name> to use apm-domains in tenancy

    For example:

    Allow group acme-functions-developers to use apm-domains in compartment functions-tracing-compartment

    If you want to enable the group to create new APM domains (and delete APM domains), specify manage apm-domains instead of use apm-domains.

  3. Specify a policy statement to give Oracle Functions access to APM domains in the compartment or in the entire tenancy:

    Allow service faas to use apm-domains in compartment <compartment-name>
    Allow service faas to use apm-domains in tenancy

    For example:

    Allow service faas to use apm-domains in compartment functions-tracing-compartment
  4. Click Create.