Model Deployment Policies
You must create a group of users that are authorized to work with model deployments before you can deploy a model with a model deployment resource.
Alternatively, you could create a dynamic group of resources (like notebook sessions) that is authorized to create a deployment. In this case, anyone who can access the notebook session can take the identity of the notebook session and create a model deployment. The authentication method from the notebook session uses resource principals.
The same pattern applies when invoking the model endpoint after deployment. A group of users or resources need to be authorized to invoke the model.
We believe that the following examples are the most common policy statements for use with a model deployment and example model deployment policies contains more examples.
Manage Model Deployment Policies
<your-group>
to perform all CRUD operations on models stored in the model catalog. Any user who
wants to deploy a model through model deployment also needs to access the model they
want to deploy.
allow group <your-group> to manage data-science-models
in compartment <your-compartment-name><your-group> to perform all CRUD operations, including calling the predict endpoint, on model deployment resources in a particular compartment. You can change the manage verb to limit what the users can do. allow group <your-group> to manage data-science-model-deployments
in compartment <your-compartment-name>manage verb
can be changed to limit what the resources can do.
allow dynamic-group <your-dynamic-group> to manage data-science-model-deployments
in compartment <your-compartment-name>The preceding policy examples are permissive. You can create more restrictive policies. A common example is to restrict who or what resources can invoke the predict endpoint of the model deployment.
Authorize Access to Predict Endpoint Policy
<your-group> to perform all CRUD operations, including calling the predict endpoint, on model deployment resources in a particular compartment. You can change the manage verb to limit what the users can do. allow group <your-group> to manage data-science-model-deployments
in compartment <your-compartment-name>allow dynamic-group <your-dynamic-group-2> to {DATA_SCIENCE_MODEL_DEPLOYMENT_PREDICT}
in compartment <your-compartment-name>Give Model Deployment Access to Your Published Conda Bucket
allow any-user to read objects in compartment <your-compartment-name>
where ALL { request.principal.type='datasciencemodeldeployment',
target.bucket.name=<your-published-conda-envs-bucket-name> }Give Model Deployment Access to the Logging Service
allow any-user to use log-content in tenancy
where ALL {request.principal.type = 'datasciencemodeldeployment'}
Give Model Deployment Access to an Object Storage Bucket
allow any-user to read objects in compartment <your-compartment-name>
where ALL { request.principal.type='datasciencemodeldeployment', target.bucket.name=<your-bucket-name> }Other Methods of Authentication and Authorization
Model deployment only supports authorization and authentication defined by the OCI Identity and Access Management (IAM) service. Model deployment does not support other methods of authorization and authentication such as OAuth or basic access authentication.