Required IAM Policies to Deploy the TimesTen Operator

If you do not belong to the Administrators group of the tenancy, your group must have manage, read, or use access to certain resources. These resources include:

  • The compartment in which you want to create the stack.

  • The compartment in which the OKE cluster resides.

  • The compartment in which the VCN resides.

The minimum required policies to deploy the TimesTen Operator using TimesTen System of Record for OKE are:

  • General policies

    Allow group <group-name> to inspect all-resources in tenancy

  • Policies for using Marketplace

    Allow group <group-name> to read marketplace-workrequests in compartment <stack-compartment-name>
Allow group <group-name> to use marketplace-listings in compartment <stack-compartment-name>
Allow group <group-name> to manage app-catalog-listings in compartment <stack-compartment-name>

  • Policies for launching the stack

    Allow group <group-name> to manage orm-stacks in compartment <stack-compartment-name>
Allow group <group-name> to manage orm-jobs in compartment <stack-compartment-name>

  • Policies for the resources required by the stack

    • Policies for creating the node pool

      Allow group <group-name> to manage cluster-node-pools in compartment <cluster-compartment-name>
Allow group <group-name> to manage instance-family in compartment <cluster-compartment-name>
Allow group <group-name> to read cluster-work-requests in compartment <cluster-compartment-name>
Allow group <group-name> to use vnics in compartment <cluster-compartment-name>
Allow group <group-name> to use subnets in compartment <vcn-compartment-name>

      Note:

      If the Kubernetes API endpoint is in a private subnet, use manage instead of use in the policy for the subnets of the compartment in which the VCN resides.

    • Policies for deploying the TimesTen Operator

      Allow group <group-name> to manage clusters in compartment <cluster-compartment-name>

    • Policies for using the Bastion service

      Note:

      The following policies are only necessary if the Kubernetes API endpoint is in a private subnet.

      Allow group <group-name> to manage security-lists in compartment <vcn-compartment-name>
Allow group <group-name> to manage vcns in compartment <vcn-compartment-name>
Allow group <group-name> to manage route-tables in compartment <vcn-compartment-name>
Allow group <group-name> to manage dhcp-options in compartment <vcn-compartment-name>
Allow group <group-name> to manage bastion-family in compartment <vcn-compartment-name>