Perform AWS Management Prerequisites to Use Amazon Resource Names (ARNs)

Using the AWS Management Console or using the APIs, create an AWS user, role, policies, and trust relationship. You perform these steps before you use with DBMS_CLOUD.CREATE_CREDENTIAL to create a credential with an ARN parameter on Autonomous Database.

To use an ARN to access AWS resources your AWS administrator defines the policies and a principal that allows you to access AWS resources. For example, while using Autonomous Database you might want to access data from an S3 bucket, perform some operation on the data, and then write the modified data back to the S3 bucket.

Note:

Depending on your existing AWS configuration and the External ID you use, you do not need to create a new role and policy for each Autonomous Database instance. If you already have an AWS role containing the necessary policy to access a resource, for example to access S3 cloud storage, you can modify the trust relationship to include the details in Step 3. Likewise, if you already have a role with the necessary trust relationship, you can use that role to access all of your databases in an OCI compartment or tenancy if you use an external ID that specifies the compartment OCID or tenancy OCID.

From the AWS Management Console or using the APIs, an AWS administrator performs the following steps:

  1. Create a policy. In the policy you specify permissions for accessing AWS resources such as S3 buckets.
  2. Create a role and attach the policy to the role.
    1. Access the AWS Management Console and choose Identity and Access Management (IAM).
    2. Click Create role.
    3. Select Another AWS account.
    4. Enter your Account ID.
      You use this as a temporary value. Later you replace this with the Account ID you use to access AWS resources.
    5. In the Options area select Require external ID and enter a temporary external ID, such as 0000. Later you replace this external ID with a valid value.
    6. Click Next Permissions to attach the Policies you created in Step 1 or other policies you want to apply to the role.
    7. Click Next Tags and apply or create tags as needed for the role.
    8. Click Next Review and add a Role Name and Role Description.
    9. Click Create Role.

    You use the role's ARN with DBMS_CLOUD.CREATE_CREDENTIAL to create credential objects with ARN parameters to access AWS resources.

    See Creating a role to delegate permissions to an IAM user for more information.

  3. Specify a Trust Relationship for the role.
    1. From the Roles list, under Role name, select the role you created.
    2. On the roles Summary page for the selected role, select the Trust relationships tab.
    3. In the trust relationship, click Edit trust relationship.
    4. Edit the trust relationship to specify the Principal parameter AWS.

      This AWS user ARN is available in the CLOUD_INTEGRATIONS view. See Perform Autonomous Database Prerequisites to Use Amazon ARNs for more information.

    5. Edit the trust relationship to specify the External ID.

      On Autonomous Database when you create an AWS ARN credential with DBMS_CLOUD.CREATE_CREDENTIAL, by default the external_id_type parameter value is database_ocid. Optionally you can set the external_id_type type as one of: database_ocid, compartment_ocid, or tenant_ocid.

      When you use the database OCID as the External ID, the policy's trust relationship only trusts the Autonomous Database instance specified with the OCID. If you use a compartment OCID, the policy's trust relationship trusts all the Autonomous Database instances in the compartment and you can use the same role ARN to grant access to AWS resources to any Autonomous Database in the specified compartment. Likewise, if you use the tenancy OCID, you can use the same role ARN to grant access to AWS resources to any Autonomous Database in the specified tenancy.

      Previously in Step 2 you set the trust relationship External ID to the temporary value 0000.

      On AWS you configure the trust relationship External ID value to match one of the following:

      • When the external_id_type type is database_ocid, on AWS you configure the role's trust relationship External ID to be the Database OCID.

        The Database OCID is available by running the following query:

        SELECT cloud_identity FROM v$pdbs;

        See Obtain Tenancy Details for more information.

      • When the external_id_type type is compartment_ocid, on AWS you configure the role's trust relationship External ID to be the Compartment OCID.

        The Compartment OCID is available on the Compartment details page from the Oracle Cloud Infrastructure Console. To find the Compartment details page, from the Oracle Cloud Infrastructure left navigation menu click Identity & and Security and then select Compartments. Select the compartment that contains the Autonomous Database instance to see the Compartment ID.

      • When the external_id_type type is tenant_ocid, on AWS you configure the role's trust relationship External ID to be the Tenancy OCID.

        The Tenancy OCID is available on the Tenancy details page from the Oracle Cloud Infrastructure Console. To find the Tenancy details page, from the Oracle Cloud Infrastructure left navigation menu click Governance & Administration and then select Tenancy Details. The Tenancy Information tab shows the Tenancy OCID.

      • When you set the value for ExternalID, by default the OCID value must be in upper case. If you want to supply the OCID in lower case, set the condition "StringEqualsIgnoreCase" instead of "StringEquals" in the JSON when you edit the trust relationship.

      Description of arn_aws_create_role_aws_trust_final.png follows
      Description of the illustration arn_aws_create_role_aws_trust_final.png

    See How to use trust policies with IAM role for more information.

After the ARN role configuration is finished, you can create a DBMS_CLOUD.CREATE_CREDENTIAL credential with ARN parameters to access Amazon resources from Autonomous Database. See Create Credentials with ARN Parameters to Access AWS Resources for more information.