Create Identity and Access Management (IAM) Groups and Policies for IAM Users

Describes the steps to write policy statements for an IAM group to enable IAM user access to Oracle Cloud Infrastructure resources, specifically Autonomous AI Database instances.

A policy is a group of statements that specifies who can access particular resources, and how. Access can be granted for the entire tenancy, databases in a compartment, or individual databases. This means you write a policy statement that gives a specific group a specific type of access to a specific type of resource within a specific compartment.

Note: Defining a policy is required to use IAM tokens to access Autonomous AI Database. A policy is not required when using IAM database passwords to access Autonomous AI Database.

To enable Autonomous AI Database to allow IAM users to connect to the database using IAM tokens:

1. Perform Oracle Cloud Infrastructure Identity and Access Management prerequisites by creating a group and adding users to the group.

   For example, create the group sales_dbusers.

   See Managing Groups for more information.

2. Write policy statements to enable access to Oracle Cloud Infrastructure resources.

   1. In the Oracle Cloud Infrastructure console click Identity & Security.

   2. Under Identity & Security click Policies.

   3. To a write policy, click Create Policy.

   4. On the Create Policy page, enter a Name and a Description.

   5. On the Create Policy page, select Show manual editor.

   6. Use the Policy Builder to create a policy.

      For example to create a policy to allow users in IAM group DBUsers to access any Autonomous AI Database in their tenancy:

      Allow group DBUsers to use autonomous-database-family in tenancy

      For example to create a policy that limits members of DBUsers group to access Autonomous AI Databases in compartment testing_compartment only:

      allow group DBUsers to use autonomous-database-family in compartment testing_compartment

      For example to create a policy that limits group access to a single database in a compartment:

      allow group DBUsers to use autonomous-database-family in compartment testing_compartment
                     where target.id = 'ocid1.autonomousdatabase.oc1.iad.aaaabbbbcccc...b5678ca'

      Refer to Creating an IAM Policy to Authorize Users Authenticating with Tokens in Database Security Guide for more information on IAM policies to access the database.

   7. Click Create.

      See Managing Policies for more information on policies.

Notes for creating policies for use with IAM users on Autonomous AI Database:

• Policies can allow IAM users to access Autonomous AI Database instances across the entire tenancy, in a compartment, or can limit access to a single Autonomous AI Database instance.

• You can use either instance principal or resource principal to retrieve database tokens to establish a connection from your application to an Autonomous AI Database instance. If you are using an instance principal or resource principal, you must map a dynamic group. Thus, you cannot exclusively map instance and resource principals; you only can map them through a shared mapping and putting the instance or resource instance in an IAM dynamic group.

  You can create Dynamic Groups and reference dynamic groups in the policies you create to access Oracle Cloud Infrastructure. See Configure Policies and Roles to Access Resources and Managing Dynamic Groups for details.