Creating Dynamic Groups and Policies to Access Other Oracle Cloud Infrastructure Resources from Notebook Sessions

When a Data Science notebook session is running, it can access other Oracle Cloud Infrastructure resources. For example, you might want to:

  • Access the Data Science model catalog to save or load models.

  • List Data Science projects.

  • Access data from an Object Storage bucket, perform some operation on the data, and then write the modified data back to the Object Storage bucket.

  • Create and run a Data Flow application.

  • Access your secrets stored in the Vault.

Users working in notebook sessions can use the notebook session's resource principal as an authentication mechanism with the preceding use cases. For more details on using resource principals, see Authenticating to the OCI APIs from a Notebook Session.

Creating Dynamic Groups and Policies

To enable a notebook session to access another Oracle Cloud Infrastructure resource, you have to include the notebook session in a dynamic group, and then create a policy to grant the dynamic group access to that resource.

  1. Open the navigation menu and click Identity & Security. Under Identity , click Dynamic Groups.
    A list of the dynamic groups in your tenancy displays.
  2. Click Create and create a new dynamic group.
  3. Enter a meaningful name. For example, acme-datascience-dyn-group.
  4. Enter a description. Avoid entering confidential information.
  5. Enter the Matching Rules. Resources that meet the rule criteria are members of the group. When specifying a rule for the dynamic group, consider what resource is going to be given access to some other resource as in these examples:
    • To allow all notebook sessions, in the compartment identified by the OCID given in the 'resource.compartment.id' parameter, enter a rule similar to the following:

      ALL {resource.type = 'datasciencenotebooksession', 
      resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaafl______kzyq'}
    • To allow a specific notebook session to access a resource, enter a rule similar to the following that adds the notebook session with the specified OCID to the dynamic group:

      resource.id = 
      'ocid1.datasciencenotebooksession.oc1.iad.amaaaaaani______ci2q'
    • Notebook sessions can be tagged with a key and value pair and any notebook with this tag is part of the dynamic group. For example, notebook sessions with the "department.operations.value = '8'" are part of the group:

      ALL {resource.type = 'datasciencenotebooksession', 
      tag.department.operations.value = '8'}

      Free-form tags are not supported, see Resource Tagging.

  6. Click Create.

    Next, give the dynamic group permissions by writing one or more policies:

  7. Click Policies.
  8. Use the to create a policy instructions and give the policy a meaningful name. For example, acme-datascience-dyn-group-access.
    Note

    Ensure that you select the root compartment for these policies.
  9. When specifying a policy statement, consider what permissions you want notebooks sessions in the acme-datascience-dyn-group group to have. Following are some policy statements examples with descriptions of the access granted:
    • Manage all data science resources in a specific compartment. These resources would be resources like projects, model catalog, and so on.

      allow dynamic-group acme-datascience-dyn-group to manage data-science-family 
      in compartment acme-compartment
    • Allows a dynamic group of resources (like notebook sessions) to perform all CRUD operations, including calling the predict endpoint, on model deployment resources in a particular compartment. The manage verb can be changed to limit what the resources can do.
      allow dynamic-group <your-dynamic-group> to manage  data-science-model-deployments 
      in compartment <your-compartment-name>
    • Read and write to a particular Object Storage bucket, enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to manage objects in 
      compartment acme-compartment where all {target.bucket.name="acme-datascience-bucket"}
    • Create and run a Data Flow application, enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to manage dataflow-family 
      in tenancy
    • List compartments (useful for interacting with the model catalog), enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to read compartments 
      in tenancy
    • List users (useful for interacting with the model catalog), enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to read users 
      in tenancy
    • Manage secrets stored in a Vault, enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to manage secret-family 
      in tenancy
    • Read and write to all resources in a compartment, enter a rule similar to the following:

      allow dynamic-group acme-datascience-dyn-group to manage all-resources 
      in compartment acme-compartment
  10. Click Create to create the policy.
Note

The resource principal token is cached for 15 minutes. Therefore, if you change the policy or the dynamic group, you have to wait for 15 minutes to see the effect of your changes.

For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.