DevOps IAM Policies

Create IAM policies to control who has access to DevOps resources, and to control the type of access for each group of users.

Before you can control access to DevOps resources such as code repositories, build pipelines, and deployment pipelines, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).

By default, users in the Administrators group have access to all the DevOps resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Resource Types and Permissions

List of DevOps resource types and associated permissions.

To assign permissions to all DevOps resources, use the devops-family aggregate type. For more information, see Permissions.

A policy that uses <verb> devops-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Resource Type Permissions
devops-project
  • DEVOPS_PROJECT_INSPECT
  • DEVOPS_PROJECT_READ
  • DEVOPS_PROJECT_UPDATE
  • DEVOPS_PROJECT_CREATE
  • DEVOPS_PROJECT_DELETE
  • DEVOPS_PROJECT_MOVE
devops-deploy-artifact
  • DEVOPS_DEPLOY_ARTIFACT_INSPECT
  • DEVOPS_DEPLOY_ARTIFACT_READ
  • DEVOPS_DEPLOY_ARTIFACT_UPDATE
  • DEVOPS_DEPLOY_ARTIFACT_CREATE
  • DEVOPS_DEPLOY_ARTIFACT_DELETE
devops-deploy-environment
  • DEVOPS_DEPLOY_ENVIRONMENT_INSPECT
  • DEVOPS_DEPLOY_ENVIRONMENT_READ
  • DEVOPS_DEPLOY_ENVIRONMENT_UPDATE
  • DEVOPS_DEPLOY_ENVIRONMENT_CREATE
  • DEVOPS_DEPLOY_ENVIRONMENT_DELETE
devops-deploy-pipeline
  • DEVOPS_DEPLOY_PIPELINE_INSPECT
  • DEVOPS_DEPLOY_PIPELINE_READ
  • DEVOPS_DEPLOY_PIPELINE_UPDATE
  • DEVOPS_DEPLOY_PIPELINE_CREATE
  • DEVOPS_DEPLOY_PIPELINE_DELETE
devops-deploy-stage
  • DEVOPS_DEPLOY_STAGE_INSPECT
  • DEVOPS_DEPLOY_STAGE_READ
  • DEVOPS_DEPLOY_STAGE_UPDATE
  • DEVOPS_DEPLOY_STAGE_CREATE
  • DEVOPS_DEPLOY_STAGE_DELETE
devops-deployment
  • DEVOPS_DEPLOY_DEPLOYMENT_INSPECT
  • DEVOPS_DEPLOY_DEPLOYMENT_READ
  • DEVOPS_DEPLOY_DEPLOYMENT_UPDATE
  • DEVOPS_DEPLOY_DEPLOYMENT_CREATE
  • DEVOPS_DEPLOY_DEPLOYMENT_DELETE
  • DEVOPS_DEPLOY_DEPLOYMENT_CANCEL
  • DEVOPS_DEPLOY_DEPLOYMENT_APPROVE
devops-work-requests
  • DEVOPS_WORK_REQUEST_INSPECT
  • DEVOPS_WORK_REQUEST_READ
devops-repository
  • DEVOPS_REPOSITORY_INSPECT
  • DEVOPS_REPOSITORY_READ
  • DEVOPS_REPOSITORY_UPDATE
  • DEVOPS_REPOSITORY_CREATE
  • DEVOPS_REPOSITORY_DELETE
devops-build-pipeline
  • DEVOPS_BUILD_PIPELINE_INSPECT
  • DEVOPS_BUILD_PIPELINE_READ
  • DEVOPS_BUILD_PIPELINE_UPDATE
  • DEVOPS_BUILD_PIPELINE_CREATE
  • DEVOPS_BUILD_PIPELINE_DELETE
devops-build-pipeline-stage
  • DEVOPS_BUILD_PIPELINE_STAGE_INSPECT
  • DEVOPS_BUILD_PIPELINE_STAGE_READ
  • DEVOPS_BUILD_PIPELINE_STAGE_UPDATE
  • DEVOPS_BUILD_PIPELINE_STAGE_CREATE
  • DEVOPS_BUILD_PIPELINE_STAGE_DELETE
devops-build-run
  • DEVOPS_BUILD_RUN_INSPECT
  • DEVOPS_BUILD_RUN_READ
  • DEVOPS_BUILD_RUN_UPDATE
  • DEVOPS_BUILD_RUN_CREATE
  • DEVOPS_BUILD_RUN_DELETE
  • DEVOPS_BUILD_RUN_CANCEL
devops-connection
  • DEVOPS_CONNECTION_INSPECT
  • DEVOPS_CONNECTION_READ
  • DEVOPS_CONNECTION_UPDATE
  • DEVOPS_CONNECTION_CREATE
  • DEVOPS_CONNECTION_DELETE
devops-trigger
  • DEVOPS_TRIGGER_INSPECT
  • DEVOPS_TRIGGER_READ
  • DEVOPS_TRIGGER_UPDATE
  • DEVOPS_TRIGGER_CREATE
  • DEVOPS_TRIGGER_DELETE

Supported Variables

Variables are used when adding conditions to a policy.

DevOps supports the following variables:

  • Entity: Oracle Cloud Identifier (OCID)
  • String: Free-form text.
  • Number: Numeric value (arbitrary precision)
  • List: List of Entity, String, or Number
  • Boolean: True or False

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.

Here's a list of available sources for the variables:

  • Request: Comes from the request input.
  • Derived: Comes from the request.
  • Stored: Comes from the service, retained input.
  • Computed: Computed from service data.

Mapping Variables with Resource Types

Resource Type Variable Type Source Description

devops-project

devops-deploy-artifact

devops-deploy-environment

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

devops-repository

devops-connection

devops-trigger

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

target.project.id Entry Stored Available for Get, Update, Delete, and Move operations on the Project resource.

devops-project

devops-deploy-artifact

devops-deploy-environment

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

devops-repository

devops-connection

devops-trigger

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

target.project.name String Stored Available for Get, Update, Delete, and Move operations on the Project resource.
devops-deploy-artifact target.artifact.id Entity Stored Available for Get, Update, and Delete operations on the Artifact resource.
devops-deploy-environment target.environment.id Entity Stored Available for Get, Update, and Delete operations on the Environment resource.

devops-deploy-pipeline

devops-deploy-stage

devops-deployment

target.pipeline.id Entity Stored Available for Get, Update, and Delete operations on the Pipeline resource.
devops-deploy-stage target.stage.id Entity Stored Available for Get, Update, and Delete operations on the Stage resource.
devops-deployment target.deployment.id Entity Stored Available for Get, Update, and Delete operations on Deployment resource types.
devops-repository target.repository.id Entity Stored Available for Get, Update, Delete, and Move operations on the Repository resource.
devops-repository target.repository.name Entity Stored Available for Get, Update, Delete, and Move operations on the Repository resource.
devops-repository target.branch.name Entity Stored Available for Git operations like upload-pack, receive-pack on the Repository branch.
devops-repository target.tag.name Entity Stored Available for Git operations like upload-pack, receive-pack on the Repository branch.
devops-connection target.connection.id Entity Stored Available for Get, Update, and Delete operations on the Connection resource.
devops-trigger target.trigger.id Entity Stored Available for Get, Update, and Delete operations on the Trigger resource.

devops-build-pipeline

devops-build-pipeline-stage

devops-build-run

target.build-pipeline.id Entity Stored Available for Get, Update, and Delete operations on the Build Pipeline resource.
devops-build-pipeline-stage target.build-pipeline-stage.id Entity Stored Available for Get, Update, and Delete operations on the Build Pipeline Stage resource.
devops-build-run target.build-run.id Entity Stored Available for Get, Update, Delete, and Cancel operations on the Build Run resource.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for DevOps resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

devops-project

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-project resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_PROJECT_INSPECT ListProjects List all the project resources in a compartment.
read

inspect+

DEVOPS_PROJECT_READ

inspect+

GetProject

Get a specific project by ID.
use

read+

DEVOPS_PROJECT_UPDATE

read+

UpdateProject

Update a specific project.
manage

use+

DEVOPS_PROJECT_CREATE

use+

CreateProject

Create a project resource.
manage

use+

DEVOPS_PROJECT_DELETE

use+

DeleteProject

Delete a specific project.
manage

use+

DEVOPS_PROJECT_MOVE

use+

ChangeProjectCompartment

Move a project to a different compartment.
devops-deploy-artifact

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-artifact resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_ARTIFACT_INSPECT ListDeployArtifacts List all the artifacts in a project or compartment.
read

inspect+

DEVOPS_DEPLOY_ARTIFACT_READ

inspect+

GetDeployArtifact

Get a specific artifact by ID.
use

read+

DEVOPS_DEPLOY_ARTIFACT_UPDATE

read+

UpdateDeployArtifact

Update a specific artifact by ID.
manage

use+

DEVOPS_DEPLOY_ARTIFACT_CREATE

use+

CreateDeployArtifact

Create an artifact resource within a project.

manage

use+

DEVOPS_DEPLOY_ARTIFACT_DELETE

use+

DeleteDeployArtifact

Delete a specific artifact by ID.

devops-deploy-environment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-environment resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_ENVIRONMENT_INSPECT ListDeployEnvironments List all the environments in an application or compartment.
read

inspect+

DEVOPS_DEPLOY_ENVIRONMENT_READ

inspect+

GetDeployEnvironment

Get a specific environment by ID.
use

read+

DEVOPS_DEPLOY_ENVIRONMENT_UPDATE

read+

UpdateDeployEnvironment

Update a specific environment by ID.
manage

use+

DEVOPS_DEPLOY_ENVIRONMENT_CREATE

use+

CreateDeployEnvironment

Create an environment for a deployment target within an application.

manage

use+

DEVOPS_DEPLOY_ENVIRONMENT_DELETE

use+

DeleteDeployEnvironment

Delete a specific environment by ID.

devops-deploy-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-pipeline resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_PIPELINE_INSPECT ListDeployPipelines List all the pipeline resources in a compartment.
read

inspect+

DEVOPS_DEPLOY_PIPELINE_READ

inspect+

GetDeployPipeline

Get a specific pipeline by ID.
use

read+

DEVOPS_DEPLOY_PIPELINE_UPDATE

read+

UpdateDeployPipeline

Update a specific pipeline by ID.
manage

use+

DEVOPS_DEPLOY_PIPELINE_CREATE

use+

CreateDeployPipeline

Create a pipeline resource.

manage

use+

DEVOPS_DEPLOY_PIPELINE_DELETE

use+

DeleteDeployPipeline

Delete a specific pipeline.

devops-deploy-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-stage resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOY_STAGE_INSPECT ListDeployStages List all the stages in a pipeline or compartment.
read

inspect+

DEVOPS_DEPLOY_STAGE_READ

inspect+

GetDeployStage

Get a specific stage by ID.
use

read+

DEVOPS_DEPLOY_STAGE_UPDATE

read+

UpdateDeployStage

Update a specific stage by ID.
manage

use+

DEVOPS_DEPLOY_STAGE_CREATE

use+

CreateDeployStage

Create a stage within a pipeline.

manage

use+

DEVOPS_DEPLOY_STAGE_DELETE

use+

DeleteDeployStage

Delete a specific stage by ID.

devops-deployment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deployment resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_DEPLOYMENT_INSPECT ListDeployments List all the deployments in a compartment.
read

inspect+

DEVOPS_DEPLOYMENT_READ

inspect+

GetDeployment

Get a specific deployment by ID.
use

read+

DEVOPS_DEPLOYMENT_UPDATE

read+

UpdateDeployStage

Update a specific stage by ID.

use

read+

DEVOPS_DEPLOYMENT_APPROVE

read+

ApproveDeployment

Approve a specific deployment that's waiting for manual approval.
use

read+

DEVOPS_DEPLOYMENT_CANCEL

read+

CancelDeployment

Cancel a running deployment.

manage

use+

DEVOPS_DEPLOYMENT_CREATE

use+

CreateDeployment

Create a deployment for a specific pipeline.

manage

use+

DEVOPS_DEPLOYMENT_DELETE

use+

DeleteDeployment

Delete a specific deployment.

devops-work-requests

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-work-requests resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_WORK_REQUEST_INSPECT ListWorkRequests List all the work requests in a compartment.
read

inspect+

DEVOPS_WORK_REQUEST_READ

inspect+

GetWorkRequest

Get a specific work request by ID.
devops-repository

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-repository resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_REPOSITORY_INSPECT ListRepositories List all the repository resources by compartment ID, project ID, or repository ID.
read

inspect+

DEVOPS_REPOSITORY_READ

inspect+

GetRepository

Get a specific repository by ID.
use

read+

DEVOPS_REPOSITORY_UPDATE

read+

UpdateRepository

Update a specific repository by ID.
manage

use+

DEVOPS_REPOSITORY_CREATE

use+

CreateRepository

Create a repository.

manage

use+

DEVOPS_REPOSITORY_DELETE

use+

DeleteRepository

Delete a specific repository by ID.

devops-connection

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-connection resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_CONNECTION_INSPECT ListConnections List all the connections in a project or compartment.
read

inspect+

DEVOPS_CONNECTION_READ

inspect+

GetConnection

Get a specific connection by ID.
use

read+

DEVOPS_CONNECTION_UPDATE

read+

UpdateConnection

Update a specific connection by ID.
manage

use+

DEVOPS_CONNECTION_CREATE

use+

CreateConnection

Create a connection resource in a project.

manage

use+

DEVOPS_CONNECTION_DELETE

use+

DeleteConnection

Delete a specific connection by ID.

devops-trigger

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-trigger resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_TRIGGER_INSPECT ListTriggers List all the triggers in a project or compartment.
read

inspect+

DEVOPS_TRIGGER_READ

inspect+

GetTrigger

Get a specific trigger by ID.
use

read+

DEVOPS_TRIGGER_UPDATE

read+

UpdateTrigger

Update a specific trigger by ID.
manage

use+

DEVOPS_TRIGGER_CREATE

use+

CreateTrigger

Create a trigger resource in a project.

manage

use+

DEVOPS_TRIGGER_DELETE

use+

DeleteTrigger

Delete a specific trigger by ID.

devops-build-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_PIPELINE_INSPECT ListBuildPipelines List all the build pipeline resources in a compartment.
read

inspect+

DEVOPS_BUILD_PIPELINE_READ

inspect+

GetBuildPipeline

Get a specific build pipeline by ID.
use

read+

DEVOPS_BUILD_PIPELINE_UPDATE

read+

UpdateBuildPipeline

Update a specific build pipeline by ID.
manage

use+

DEVOPS_BUILD_PIPELINE_CREATE

use+

CreateBuildPipeline

Create a build pipeline resource.

manage

use+

DEVOPS_BUILD_PIPELINE_DELETE

use+

DeleteBuildPipeline

Delete a specific build pipeline.

devops-build-pipeline-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline-stage resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_PIPELINE_STAGE_INSPECT ListBuildPipelineStages List all the stages in a build pipeline or compartment.
read

inspect+

DEVOPS_BUILD_PIPELINE_STAGE_READ

inspect+

GetBuildPipelineStage

Get a specific build pipeline stage by ID.
use

read+

DEVOPS_BUILD_PIPELINE_STAGE_UPDATE

read+

UpdateBuildPipelineStage

Update a specific build pipeline stage by ID.
manage

use+

DEVOPS_BUILD_PIPELINE_STAGE_CREATE

use+

CreateBuildPipelineStage

Create a stage in a build pipeline.

manage

use+

DEVOPS_BUILD_PIPELINE_STAGE_DELETE

use+

DeleteBuildPipelineStage

Delete specific build pipeline stage by ID.

devops-build-run

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-run resource.

Verbs Permissions APIs Covered Description
inspect DEVOPS_BUILD_RUN_INSPECT ListBuildRuns List the build runs in a project or compartment.
read

inspect+

DEVOPS_BUILD_RUN_READ

inspect+

GetBuildRun

Gets a specific build run by ID.
use

read+

DEVOPS_BUILD_RUN_UPDATE

read+

UpdateBuildRun

Update an existing build run.
use

read+

DEVOPS_BUILD_RUN_CANCEL

read+

CancelBuildRun

Cancel a running build run.
manage

use+

DEVOPS_BUILD_RUN_CREATE

use+

CreateBuildRun

Start a build run for a given build pipeline.

manage

use+

DEVOPS_BUILD_RUN_DELETE

use+

DeleteBuildRun

Delete an existing build run.

Creating a Policy

Here's how you create a policy in the Oracle Cloud Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format:

    allow <group> to <verb> <resource_type> in <compartment or tenancy details>
  5. Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

Policy Examples

DevOps policies required for using various DevOps resources such as code repositories, build pipelines and deployment pipelines.

Following policy examples are provided:

Environment Policies

Policy example for creating target environment that is used for deployment.

See the instructions for creating policies using the console.

Create policy to allow users in a group to create, update or delete a private OKE environment:
Allow group <group-name> to manage virtual-network-family in compartment <compartment_name> where any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint', request.operation='EnableReverseConnection', request.operation='ModifyReverseConnection', request.operation='DisableReverseConnection'}

Code Repository Policies

Policy examples for creating your own private code repositories and connecting to external code repositories such as GitHub and GitLab.

See the instructions for creating policies using the console.

  • Create dynamic groups for your code repository. You can name the dynamic group as, for example, CoderepoDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    ALL {resource.type = 'devopsrepository', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create following IAM policies:
    • Allow the dynamic group to manage the DevOps resources in the compartment:
      Allow dynamic-group CoderepoDynamicGroup to manage devops-family in compartment <compartment_name>
    • Allow the code repositories to read secrets in the compartment:
      Allow dynamic-group CoderepoDynamicGroup to read secret-family in compartment <compartment name>
  • To integrate with external code repositories, create a policy in the root compartment. For example, to allow the dynamic group to read secrets:
    • Create a dynamic group for the connection. You can name the dynamic group as, for example, ConnectionDynamicGroup and replace compartmentOCID with the OCID of your compartment:
      ALL {resource.type = 'devopsconnection', resource.compartment.id = 'compartmentOCID'}
    • Create following IAM policy:
      Allow dynamic-group ConnectionDynamicGroup to read secret-family in tenancy

Build Pipeline Policies

Policy examples for creating build pipelines and adding stages to the pipeline.

See the instructions for creating policies using the console.

  • Create dynamic groups for your build pipeline. You can name the dynamic group as, for example, BuildDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    ALL {resource.type = 'devopsbuildpipeline', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create IAM policies to allow the dynamic group to access OCI resources in the compartment:
    • To deliver artifacts, provide access to the Container Registry (OCIR):
      Allow dynamic-group BuildDynamicGroup to manage repos in compartment <compartment_name>
    • To access vault for personal access token (PAT), provide access to secret-family. This policy is required in the Managed Build stage for accessing PAT to download the source code:
      Allow dynamic-group BuildDynamicGroup to read secret-family in compartment <compartment_name>
    • Provide access to read deployment artifacts in the Deliver Artifacts stage, read DevOps code repository in the Managed Build stage, and trigger deployment pipeline in the Trigger Deploy stage:
      Allow dynamic-group BuildDynamicGroup to manage devops-family in compartment <compartment_name>
    • To deliver artifacts, provide access to the Artifact Registry:
      Allow dynamic-group BuildDynamicGroup to manage generic-artifacts in compartment <compartment_name>
    • To send notifications, provide access to the build pipeline:
      Allow dynamic-group BuildDynamicGroup to use ons-topics in compartment <compartment_name>
  • Create policies to allow private access setup in the Managed Build stage:
    allow dynamic-group BuildDynamicGroup to use subnets in compartment <customer subnet compartment>
    allow dynamic-group BuildDynamicGroup to use vnics in compartment <customer subnet compartment>
    If any network security groups (NSGs) are specified in the private access configuration, then the policy must allow access to the NSGs:
    allow dynamic-group BuildDynamicGroup to use network-security-groups in compartment <customer subnet compartment>
  • Create a policy to allow the build pipeline to access the Certificate Authority (CA) bundle resource for Transport Layer Security (TLS) verification:
    allow dynamic-group BuildDynamicGroup to use cabundles in compartment <compartment name>

Policies for Accessing ADM Resources

Policy examples for accessing Application Dependency Management (ADM) service's resources from the build pipeline.

See the instructions for creating policies using the console.

  • Create dynamic groups for your build pipeline. You can name the dynamic group as, for example, BuildDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    ALL {resource.type = 'devopsbuildpipeline', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create IAM policies to allow the dynamic group to access ADM resources in the tenancy:
    allow dynamic-group BuildDynamicGroup to use adm-knowledge-bases in tenancy
    allow dynamic-group BuildDynamicGroup to manage adm-vulnerability-audits in tenancy

Deployment Pipeline Policies

Policy examples for creating deployment pipelines and adding stages to the pipeline.

See the instructions for creating policies using the console.

  • Create dynamic groups for your deployment pipeline. You can name the dynamic group as, DeployDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    All {resource.type = 'devopsdeploypipeline', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create IAM policies to give permissions to access tenancy resources:
    • Allow the deployment pipeline dynamic group to access your tenancy resources:
      Allow dynamic-group DeployDynamicGroup to manage all-resources in tenancy

      This policy gives access to all Oracle Cloud Infrastructure resource types in your tenancy, but you can create IAM policies to give access to specific resource types or compartments. For more information, see Policy Reference.

    • For an instance group deployment, you also need to create a dynamic group for these instances and give the dynamic group certain permissions:
      • Create a dynamic group for your instances. For example, you can name the dynamic group as, DeployComputeDynamicGroup and replace compartmentOCID with the OCID of your compartment:
        All {instance.compartment.id = 'compartmentOCID'}
      • Create IAM policies to give required access to the deployment instances:
        Allow dynamic-group DeployComputeDynamicGroup to use instance-agent-command-execution-family in compartment <compartment_name>
        
        Allow dynamic-group DeployComputeDynamicGroup to read generic-artifacts in compartment <compartment_name>

Artifact Policies

Policy examples for adding the Deliver Artifacts stage to the build pipeline.

The Deliver Artifacts stage maps the build outputs from the Managed Build stage with the version to deliver to a DevOps artifact resource, and then to the Oracle Cloud Infrastructure (OCI) code repository. DevOps supports artifacts stored in OCI Container Registry and Artifact Registry repositories. See Adding a Deliver Artifacts Stage.

See the instructions for creating policies using the console.

  • Create dynamic groups for your build pipeline. You can name the dynamic group as, for example, BuildDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    ALL {resource.type = 'devopsbuildpipeline', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create following IAM policies:
    • Ability to see a list of all repositories in Container Registry belonging to the tenancy or to a particular compartment:
      Allow dynamic-group BuildDynamicGroup to inspect repos in tenancy
      Allow dynamic-group BuildDynamicGroup to inspect repos in compartment <compartment_name>
    • Allow artifacts to be pushed to the Container Registry (OCIR) that belongs to the tenancy or to a particular compartment:
      Allow dynamic-group BuildDynamicGroup to use repos in tenancy
      Allow dynamic-group BuildDynamicGroup to use repos in compartment <compartment_name>

      See Policies to Control Repository Access.

    • Ability to see a list of generic artifacts in Artifact Registry belonging to the tenancy or to a particular compartment:
      Allow dynamic-group BuildDynamicGroup to inspect generic-artifacts in tenancy
      Allow dynamic-group BuildDynamicGroup to inspect generic-artifacts in compartment <compartment_name>
    • Allow generic artifacts to be pushed to the Artifact Registry that belongs to the tenancy or to a particular compartment:
      Allow dynamic-group BuildDynamicGroup to use generic-artifacts in tenancy
      Allow dynamic-group BuildDynamicGroup to use generic-artifacts in compartment <compartment_name>

      See Artifact Registry Policies.

    • Allow users to pull generic artifacts that belongs to the tenancy or to a particular compartment:
      Allow dynamic-group BuildDynamicGroup to read generic-artifacts in tenancy
      Allow dynamic-group BuildDynamicGroup to read generic-artifacts in compartment <compartment_name>

Accessing Artifact Registry

Oracle Cloud Infrastructure Artifact Registry is a repository service for storing, sharing, and managing software development packages.

You can access the artifacts that you store in Artifact Registry from the DevOps service. You can create a reference to three types of artifacts in Artifact Registry: instance group deployment configurations, general artifacts, and Kubernetes manifests. Your administrator must grant the read all-artifacts permission to the pipeline resources.

To access the artifacts from the deployment pipeline, perform these actions:

  • Create dynamic groups for your deployment pipeline. You can name the dynamic group as, DeployDynamicGroup and replace compartmentOCID with the OCID of your compartment:
    All {resource.type = 'devopsdeploypipeline', resource.compartment.id = 'compartmentOCID'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create IAM policy to allow the dynamic group to access the artifacts from a specific compartment:
    Allow dynamic-group DeployDynamicGroup to read all-artifacts in compartment <compartment_name>

For more information, see Artifact Registry Policies.