Oracle Cloud Infrastructure Documentation

Prerequisites

This topic explains the prerequisites required to begin provisioning Exadata Services.

Many of the tasks you perform during Exadata Services provisioning require specific permissions. The following table provides details of the permissions you need for each task.

Note

The following notes are regarding to OCI IAM:
  • If the user is an OCI tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
  • If the user is not an OCI tenancy administrator, then user needs to be part of a group that has the required permissions described in the table below.
    • During the onboarding process. some groups are automatically created with required polices, and you can add an user to those groups so that the user can perform the tasks.
    • If you want to allow a different group to perform the tasks, then follow these steps below.
      • Create a new group in the default domain, or use an existing group. For more information, see Create a new group.
      • Create a policy in the root compartment of the OCI tenancy with the required policy statements and add it to the group. For more information, see Create a policy.
      • Add users to the group. For more information, see Add the user.
Note

The following notes are regarding to AWS IAM:
  • If the user is an AWS tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
  • If the user is not an AWS tenancy administrator, then user needs to have additional permissions.
  • The policies listed in the table below provide examples of the AWS IAM actions needed to perform the steps.
  • To create JSON policies and add them to a user, see Creating policies using the JSON editor and To add permissions by attaching policies directly to the IAM user.
  • If the user is an AWS tenancy administrators, then a policy must be created. to grant permissions which are required for onboarding Oracle Database@AWS.
    • You must replace [policy_name] with the name of the policy, and [actionX] with the permissions you are granting. 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "[policy_name]",
            "Effect": "Allow",
            "Action": [
                "[action1]",
                "[action2]",
                ...
            ],
            "Resource": "*"
        }
    ]
}
Note

Both AWS Service Control Policies (SCPs) and permissions boundaries set at the organizational level can override user permission as described in this topic. This can cause onboarding and provisioning operations for Oracle Database@AWS to fail, even if users have the required permissions. For more information, see Service control policies (SCPs) , Permissions boundaries for IAM entities, and Evaluating identity-based policies with resource-based policies.

Table 1-1 Exadata Services Permissions by Task

Task Cloud Persona Permissions
Create an ODB Network for Oracle Database@AWS AWS Networking administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OdbNetworkOperations",
            "Effect": "Allow",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateOdbNetwork",
                "odb:GetOdbNetwork",
                "odb:ListOdbNetworks",
                "odb:UpdateOdbNetwork",
                "odb:DeleteOdbNetwork",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "ec2:CreateOdbNetworkPeering",
                "ec2:DeleteOdbNetworkPeering",
                "ec2:ModifyOdbNetworkPeering",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*"
        }
    ]
}
Create an Exadata Infrastructure for Oracle Database@AWS AWS Infrastructure administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExaInfraOperations",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateCloudExadataInfrastructure",
                "odb:ListDbSystemshapes",
                "odb:ListDbServers",
                "odb:GetCloudExadataInfrastructure",
                "odb:ListCloudExadataInfrastructures",
                "odb:DeleteCloudExadataInfrastructure",
                "odb:ListCloudVmClusters",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "ec2:DescribeAvailabilityZones",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Create an Exadata VM Cluster for Oracle Database@AWS AWS Infrastructure administrator and Database administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExaVMClusterOperations",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateCloudVmCluster",
                "odb:GetCloudVmCluster",
                "odb:ListCloudVmClusters",
                "odb:DeleteCloudVmCluster",
                "odb:ListCloudExadataInfrastructures",
                "odb:ListSystemVersions",
                "odb:ListGIVersions",
                "odb:ListDbServers",
                "odb:ListDbSystemshapes",
                "odb:ListDbNodes",
                "odb:ListOdbNetworks",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Create an Autonomous VM Cluster for Oracle Database@AWS AWS Infrastructure administrator and Database administrator AWS: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AutonomousVMClusterOperations",
            "Action": [
                "odb:ListAutonomousVirtualMachines",
                "odb:CreateCloudAutonomousVmCluster",
                "odb:DeleteCloudAutonomousVmCluster",
                "odb:GetCloudAutonomousVmCluster",
                "odb:ListCloudAutonomousVmClusters",
                "odb:GetCloudExadataInfrastructureUnallocatedResources",
                "odb:GetOciOnboardingStatus",
                "odb:ListCloudExadataInfrastructures",
                "odb:ListDbServers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Create Exadata Database and Migrate Data for Oracle Database@AWS OCI Database administrator OCI IAM: If the user is not an OCI tenancy administrator, then user needs to either be part of :
  • The following pre-created groups:
    • aws-exadb-vm-cluster-administrators
    • aws-exa-cdb-administrators
    • aws-exa-pdb-administrators
  • Any other group that has the following policy statements:
    • Allow group <group-name> to manage db-homes in tenancy
    • Allow group <group-name> to manage databases in tenancy
    • Allow group <group-name> to manage pluggable-databases in tenancy
Configure connectivity between the AWS VPC and the ODB Network for Oracle Database@AWS AWS  
To download private preview CLI bits, these following permissions are required. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3Operations",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]}
To create route rule in App VPC's route table, the following EC2 IAM permissions are required.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateRoute",
            "Action": [
                "ec2:DescribeRouteTables",
                "ec2:CreateRoute",
                "ec2:DescribeVpcs",
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
To create outbound endpoint in Route 53, the following Route 53 Resolver IAM permissions are required. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Route53Resolver",
            "Action": [
                "route53resolver:CreateResolverEndpoint",
                "route53resolver:CreateResolverRule",
                "route53resolver:AssociateResolverRule",
                "route53resolver:GetResolverEndpoint",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:AssociateResolverEndpointIpAddress",
                "route53resolver:DisassociateResolverEndpointIpAddress"
                "route53resolver:TagResource",
                "route53resolver:UntagResource"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EC2 IAM:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2Operations",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:CreateTags"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
To configure security rules in security group, EC2 IAM permissions are required.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2SecurityOperations",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupIngress",
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Verifications for Connectivity, Metrics and Billing for Oracle Database@AWS AWS  
For connectivity:
For observability:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudWatchOperations",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
For billing and invoices: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BillingAndInvoices",
            "Action": [
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "billing:GetBillingData",
                "billing:GetBillingDetails",
                "billing:GetBillingNotifications",
                "account:GetAccountInformation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

For read-only policies about billing that includes payments and invoices, see AWSBillingReadOnlyAccess.

For more information on how to grant the required permissions, see the following: