Oracle Cloud Infrastructure Documentation

Resource Principals

Oracle recommends using resource principal based authentication for Full Stack Disaster Recovery to use additional features and functionality. Use resource principals to authenticate and access other Oracle Cloud Infrastructure resources. To use resource principals, you or your tenancy administrator must define the Oracle Cloud Infrastructure policies and dynamic groups that allow principals to access Oracle Cloud Infrastructure resources.

To configure Resource Principal authentication for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery, follow these detailed steps:

1. Create Dynamic Group and Define Matching Rules as follows:

A Dynamic Group allows you to group OCI resources so they can be collectively assigned permissions. Defining matching rules within the Dynamic Group specifies which resources are included.

Navigate to the OCI Console:
  1. Sign in to your OCI account.
  2. Open the navigation menu and select Identity & Security > Domains > [Your Domain] > Groups > Dynamic Groups.
Create a New Dynamic Group:
  1. Click Create Dynamic Group.
  2. Provide a meaningful name and description.
  3. In the Matching Rules section, select Match any rules defined below. This setting ensures that resources matching any of the specified rules are included in the dynamic group.

Dynamic Group Matching Rules:

Select Match Any Rules radio button and add below rules individually.
Rule 1: All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Rule 2: Any {instance.compartment.id = '<instance_compartment_ocid>'}
Rule 3: All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Rule 4: All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}

Save the Dynamic Group:

After defining the matching rules, click Create to save the Dynamic Group.

For more information, see Guidelines for Matching Rules in Dynamic Groups for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery.

2. Create the IAM policies for the dynamic group as follows:

IAM policies grant the necessary permissions to the Dynamic Group for managing resources during DR operations.

Navigate to Policies:

In the OCI Console, go to Identity & Security > Domains > [Your Domain] > Policies.

Create a New Policy:

  1. Click Create Policy.
  2. Provide a name and description for the policy.
  3. In the Policy Builder, add statements to grant the necessary permissions.

Policy Statements:

The required policy statements depend on the types of resources managed by Full Stack DR.

Replace <dynamic_group_name> and <resource_compartment_name> with your actual dynamic group and compartment names.

All Policy Statements:

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in tenancy
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy
Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage database-family in compartment <database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>

For more information, see Guidelines for Policy Statements for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery

Review and Create:

After adding the necessary statements, review the policy and click Create to apply it.

By following these steps, you can set up Resource Principal authentication for OCI Full Stack Disaster Recovery, enabling secure and efficient management of your disaster recovery operations.

Reference:

Guidelines for Matching Rules in Dynamic Groups for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery

Define Matching Rules:

Align your resource matching rules according to the type of resource you want to protect with Full Stack Disaster Recovery service.

DR Protection Group Matching Rules:

This is a mandatory step, as this is the Resource Principal mainly used for DR Configuration and Execution using Resource Principal

All DR Protection Groups in a specific compartment:

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Replace <dr_protection_group_compartment_ocid> with your DR protection group compartment OCID.

All DR Protection Groups across multiple compartments:

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid1>'}
All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid2>'}

All DR Protection Groups across all compartments:

All {resource.type='drprotectiongroup'}

Compute Instance Matching Rules:

This is needed if you have Compute Instances, either Moving or Non-Moving members in your DR Protection Group. Use these rules to include compute instances in your DR configuration:

All instances within a specific compartment:
Any {instance.compartment.id = '<instance_compartment_ocid>'}
Replace <instance_compartment_ocid> with your compute instance compartment OCID

Instances across multiple compartments:

Any {instance.compartment.id = '<instance_compartment_ocid1>'}
Any {instance.compartment.id = '<instance_compartment_ocid2>'}

OKE Cluster and MySQL DB System Matching Rules:

This is needed if you have OKE Cluster or MySQL DB System members in your DR Protection Group.

To protect OKE clusters and MySQL DB Systems use:
Note

Disaster Recovery Configuration and Executions run through compute container instances

All OKE cluster instances in a specific compartment:

All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}
Replace <oke_cluster_compartment_ocid> with your OKE cluster compartment OCID

All MySQL DB systems in a specific compartment:

All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Replace <mysql_compartment_ocid> with the relevant MySQL compartment OCID

All compute container instances regardless of compartment (applies to all relevant resources):

All {resource.type='computecontainerinstance'}

These rules ensure that any of the specified conditions can match, allowing flexibility in resource inclusion.

Guidelines for Policy Statements for Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery:

To enable seamless management of resources with Full Stack DR, set up IAM policies for your dynamic group. Following are the examples for different member types:

Common Resource Policies (Applicable Across Member Types)

Networking (For: Compute Instances, Autonomous DB, Load Balancers, File Systems, OKE Clusters):

Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use subnets in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use vnics in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use network-security-groups in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use private-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use public-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in compartment <tag_compartment_name>

Vault (For: Compute Instances, Autonomous DB, Volume Groups, File Systems, OKE Clusters):

Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name
Tagging (For: All resources):
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in
    tenancy

For Disaster Recovery Service Resources (DR Configuration & Actions):

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage objects in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy
Log Storage (For: OKE Clusters, MySQL DB Systems, DR Plan Execution):
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment
      <object_storage_bucket_compartment_name>
Resource Member-Type Specific Policies:
  1. Compute Instances (Movable & Non-Movable):
    Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
  2. Volume Groups
    Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>(Include Vault policies from above)
  3. File Systems
    Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>(Include Vault policies from above)
  4. Object Storage Buckets
    Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
  5. Databases
    Allow dynamic-group <dynamic_group_name> to manage databases in compartment <database_compartment_name>(Include Vault policies from above)
  6. Autonomous Database
    Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
(Include Vault policies from above)
  7. Autonomous Container Database
    Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>
  8. MySQL DB Systems
    Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>
  9. Load Balancers
    Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>
  10. Network Load Balancers
    Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>
  11. OKE Clusters
    Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
With Virtual Node Pool:
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}
  12. User Defined Steps
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage objects in compartment <object_storage_bucket_compartment_name>
  13. Functions (Step Type: FUNCTIONS)
    Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>

Replace <Dynamic_Group_Name> with the name of your Dynamic Group and <resource_compartment_name> with the appropriate compartment name for each resource type.

For more details about the policies created in the above step, refer to Policies for Other Services Managed by Full Stack Disaster Recovery.

For more details about how to add matching rules in dynamic groups created in the above step, refer to Writing Matching Rules to Define Dynamic Groups.

For more details about how to add policy statements in the policies for dynamic group created in the above step, refer to Writing Policies for Dynamic Groups.

Parent topic: Policies