Oracle Cloud Infrastructure Documentation

Prerequisites

This topic explains the prerequisites required to begin provisioning Oracle Database@AWS. During provisioning, many of the tasks you perform, requires specific permission. The following table provides details of the permissions you need to complete each task.

Note

The following notes are regarding to OCI IAM:
  • If the user is an OCI tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
  • If the user is not an OCI tenancy administrator, then user needs to be part of a group that has the required permissions described in the table below.
    • During the onboarding process, some groups are automatically created with required polices, and you can add an user to those groups so that the user can perform the tasks.
    • If you want to allow a different group to perform the tasks, then follow these steps below.
      • Create a new group in the default domain, or use an existing group. For more information, see Create a new group.
      • Create a policy in the root compartment of the OCI tenancy with the required policy statements and add it to the group. For more information, see Create a policy.
      • Add users to the group. For more information, see Add the user.
Note

The following notes are regarding to AWS IAM:
  • If the user is an AWS tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
  • If the user is not an AWS tenancy administrator, then user needs to have additional permissions.
  • The policies listed in the table below provide examples of the AWS IAM actions needed to perform the steps.
  • To create JSON policies and add them to a user, see Creating policies using the JSON editor and To add permissions by attaching policies directly to the IAM user.
  • If the user is an AWS tenancy administrators, then a policy must be created. to grant permissions which are required for onboarding Oracle Database@AWS.
    • You must replace [policy_name] with the name of the policy, and [actionX] with the permissions you are granting. 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "[policy_name]",
            "Effect": "Allow",
            "Action": [
                "[action1]",
                "[action2]",
                ...
            ],
            "Resource": "*"
        }
    ]
}
Note

Both AWS Service Control Policies (SCPs) and permissions boundaries set at the organizational level can override user permission as described in this topic. This can cause onboarding and provisioning operations for Oracle Database@AWS to fail, even if users have the required permissions. For more information, see Service control policies (SCPs) , Permissions boundaries for IAM entities, and Evaluating identity-based policies with resource-based policies.

Table 1-1 Oracle Database@AWS Resource Permissions by Task

Task Cloud Persona Permissions
  • Create an ODB Network
  • Modify an ODB Network
  • Delete an ODB Network
  • Create an ODB Peering Connection
  • Modify an ODB Peering Connection
  • Delete an ODB Peering Connection
 AWS Networking administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OdbNetworkOperations",
            "Effect": "Allow",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateOdbNetwork",
                "odb:GetOdbNetwork",
                "odb:ListOdbNetworks",
                "odb:UpdateOdbNetwork",
                "odb:DeleteOdbNetwork",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "odb:GetResourcePolicy",
                "odb:PutResourcePolicy",
                "odb:DeleteResourcePolicy",
                "odb:CreateOdbPeeringConnection",
                "odb:DeleteOdbPeeringConnection",
                "odb:GetOdbPeeringConnection",
                "odb:ListOdbPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeAvailabilityZones",
                "ec2:CreateOdbNetworkPeering",
                "ec2:DeleteOdbNetworkPeering",
                "ec2:ModifyOdbNetworkPeering",
                "ec2:DescribeVpcEndpointAssociations",
                "ec2:CreateVpcEndpoint",
                "ec2:DeleteVpcEndpoints",
                "ec2:DescribeVpcEndpoints",
                "ec2:CreateTags",
                "vpc-lattice:CreateServiceNetwork",
                "vpc-lattice:CreateServiceNetworkResourceAssociation",
                "vpc-lattice:GetServiceNetwork",
                "vpc-lattice:DeleteServiceNetwork",
                "vpc-lattice:DeleteServiceNetworkResourceAssociation",
                "vpc-lattice:GetServiceNetworkResourceAssociation",
                "vpc-lattice:CreateResourceGateway",
                "vpc-lattice:DeleteResourceGateway",
                "vpc-lattice:GetResourceGateway",
                "vpc-lattice:CreateServiceNetworkVpcEndpointAssociation",
                "vpc-lattice:GetServiceNetworkResourceAssociation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSLRActions",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "odb.amazonaws.com",
                        "vpc-lattice.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
  • Create an Exadata Infrastructure
  • Modify an Exadata Infrastructure
  • Delete an Exadata Infrastructure
 AWS Infrastructure administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExaInfraOperations",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateCloudExadataInfrastructure",
                "odb:ListDbSystemshapes",
                "odb:ListDbServers",
                "odb:GetCloudExadataInfrastructure",
                "odb:ListCloudExadataInfrastructures",
                "odb:DeleteCloudExadataInfrastructure",
                "odb:ListCloudVmClusters",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "ec2:DescribeAvailabilityZones",
                "iam:CreateServiceLinkedRole",
                "odb:UpdateCloudExadataInfrastructure",
                "odb:GetDbServer"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create Resource Sharing
 AWS Infrastructure administrator
Owner/trusted account permissions (to check the organization):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OrganizationPermissions",
      "Effect": "Allow",
      "Action": "organizations:DescribeOrganization",
      "Resource": "*"
    }
  ]
}
Owner account permissions (to create resource share):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RamPermissions",
      "Effect": "Allow",
      "Action": [
        "odb:ListCloudExadataInfrastructures",
        "odb:ListOdbNetworks",
        "odb:PutResourcePolicy",
        "odb:GetResourcePolicy",
        "odb:DeleteResourcePolicy",
        "ram:CreateResourceShare",
        "ram:AssociateResourceShare",
        "ram:DisassociateResourceShare",
        "ram:UpdateResourceShare",
        "ram:DeleteResourceShare",
        "ram:TagResource",
        "ram:UntagResource",
        "ram:GetResourceShares",
        "ram:GetResourceShareAssociations",
        "ram:GetResourceShareInvitations",
        "ram:GetResourcePolicies",
        "ram:EnableSharingWithAwsOrganization",
        "ram:ListResources",
        "ram:ListPrincipals",
        "ram:ListResourceTypes",
        "ram:ListPermissionAssociations",
        "ram:AssociateResourceSharePermission",
        "ram:GetPermission",
        "ram:ListPermissions",
        "ram:DisassociateResourceSharePermission",
        "ram:ListResourceSharePermissions",
        "ram:ListPermissionVersions",
        "ram:ListPendingInvitationResources",
        "ram:ListReplacePermissionAssociationsWork"
      ],
      "Resource": "*"
    }
  ]
}
Trusted account permissions (to view the shared resources from Resource Access Manager (RAM) portal and activate account from Oracle Database@AWS):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Sid": "RamPermissionsTrustedAccount",
      "Action": [
        "ram:GetResourceShares",
        "ram:GetResourcePolicies",
        "ram:ListResources",
        "ram:ListResourceSharePermissions",
        "ram:ListPrincipals",
        "ram:GetResourceShareInvitations",
        "odb:InitializeService",
        "iam:CreateServiceLinkedRole",
        "odb:GetOciOnboardingStatus"
      ],
      "Resource": "*"
    }
  ]
}
Notes:
  • For Managed Policy for full access of AWS RAM, see AWS managed policies for AWS RAM
  • To manage ODB Network, Exadata Infrastructure, Exadata VM Cluster and Autonomous VM Cluster from the trusted account, you must grant access to the complete list of permissions from the trusted account for each action listed in this page.
  • Create an Exadata VM Cluster
  • Modify an Exadata VM Cluster
  • Delete an Exadata VM Cluster
 AWS Infrastructure administrator and Database administrator AWS IAM: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExaVMClusterOperations",
            "Action": [
                "odb:GetOciOnboardingStatus",
                "odb:CreateCloudVmCluster",
                "odb:GetCloudVmCluster",
                "odb:ListCloudVmClusters",
                "odb:DeleteCloudVmCluster",
                "odb:ListCloudExadataInfrastructures",
                "odb:ListSystemVersions",
                "odb:ListGiVersions",
                "odb:ListDbServers",
                "odb:ListDbSystemshapes",
                "odb:ListDbNodes",
                "odb:ListOdbNetworks",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource",
                "iam:CreateServiceLinkedRole",
                "odb:GetDbNode",
                "odb:StartDbNode",
                "odb:StopDbNode",
                "odb:RebootDbNode",
                "odb:CreateDbNode",
                "odb:DeleteDbNode"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create Exadata Database (CDB & PDB)
  • Modify Exadata Database (CDB & PDB)
  • Delete Exadata Database (CDB & PDB)
OCI Database administrator
OCI IAM: If the user is not an OCI tenancy administrator, then it needs to be part of :
  • The following pre-created groups:
    • aws-db-family-administrators
    • aws-exa-cdb-administrators
    • aws-exa-pdb-administrators
  • Any other group that has the following policy statements: 
    • Allow group <group-name> to manage db-homes in compartment id <MulticloudLink_AWS_timestamp_ocid>
    • Allow group <group-name> to manage databases in compartment id <MulticloudLink_AWS_timestamp_ocid>
    • Allow group <group-name> to manage pluggable-databases in compartment id <MulticloudLink_AWS_timestamp_ocid>
    • Allow group <group-name> to manage db-family in compartment id <MulticloudLink_AWS_timestamp_ocid>
  • Create an Autonomous VM Cluster
  • Modify an Modify an Autonomous VM Cluster
  • Delete an Autonomous VM Cluster
 AWS Infrastructure administrator and Database administrator AWS: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AutonomousVMClusterOperations",
            "Action": [
                "odb:ListAutonomousVirtualMachines",
                "odb:CreateCloudAutonomousVmCluster",
                "odb:DeleteCloudAutonomousVmCluster",
                "odb:GetCloudAutonomousVmCluster",
                "odb:ListCloudAutonomousVmClusters",
                "odb:GetCloudExadataInfrastructureUnallocatedResources",
                "odb:GetOciOnboardingStatus",
                "odb:ListCloudExadataInfrastructures",
                "odb:ListDbServers",
                "odb:TagResource",
                "odb:UntagResource",
                "odb:ListTagsForResource"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create an Autonomous Database
  • Modify an Autonomous Database
  • Delete an Autonomous Database
 OCI Database administrator
OCI IAM: If the user is not an OCI tenancy administrator, then it needs to be part of :
  • The following pre-created groups:
    • aws-autonomous-cdb-administrators
  • Any other group that has the following policy statements: 
    • Allow group <group-name> to manage autonomous-databases in compartment id <MulticloudLink_AWS_timestamp_ocid>
    • Allow group <group-name> to manage autonomous-backups in compartment id <MulticloudLink_AWS_timestamp_ocid>
    • Allow group <group-name> to manage autonomous-container-databases in compartment id <MulticloudLink_AWS_timestamp_ocid>
For more information on how to grant the required permissions, see the following: