1. Using Oracle WebLogic Server for OKE
  2. Create a Stack
  3. Prerequisites to Create a Stack
  4. Create Dynamic Groups and Policies

Create Dynamic Groups and Policies

When you create a stack, by default the OCI Policies check box is selected and Oracle WebLogic Server for OKE creates the dynamic groups and policies.

The following policies are required when OCI Policies check box is selected:
Allow group MyGroup to manage dynamic-groups in tenancy
Allow group MyGroup to manage policies in tenancy

If you do not belong to a group that has the policies listed above, then you need to clear the OCI Policies check box and create a dynamic group and the required polices.

These tasks are typically performed by any user that belongs to a group that has the policies listed above or a tenancy administrator:

Create a Dynamic Group

Create a dynamic group in Oracle Cloud Infrastructure whose members are the compute instances that Oracle WebLogic Server for OKE will create for a stack.

The dynamic group is necessary for the compute instances to access encryption keys in Key Management, and also to access the database wallet if you're using Oracle Autonomous Database.

During stack creation for a domain, Oracle WebLogic Server for OKE creates compute instances in a compartment you select. This compartment's OCID must be listed in a dynamic group before users who are not administrators can create resources for the stack in the specified compartment.

One or more compartments can be listed in a dynamic group.

  1. Access the Oracle Cloud Infrastructure console.
  2. From the navigation menu, select Identity & Security. Under the Identity group, click Compartments.
  3. Copy the OCID for the compartment that you plan to use for the Oracle WebLogic Server compute instances.
    If you use another compartment just for network resources, copy also the OCID of the network compartment.
  4. Click Dynamic Groups.
  5. Click Create Dynamic Group.
  6. Enter a Name and Description.
  7. For Rule 1, create a rule that includes all instances in the selected compartment in this group.

    ALL {instance.compartment.id = 'WLS_Compartment_OCID'}

    Provide the OCID for the compartment you copied in step 3.

  8. Click Create Dynamic Group.

See Managing Dynamic Groups in the Oracle Cloud Infrastructure documentation.

Create Policies for the Dynamic Group

Create policies in Oracle Cloud Infrastructure so that the compute instances in Oracle WebLogic Server for OKE can access your encryption key.

When you create a stack, compute instances in Oracle WebLogic Server for OKE need to access Oracle Cloud Infrastructure Vault secrets. If a load balancer is enabled, access to network resources is required.

The following sample policy grants the relevant permissions to a dynamic group:

Allow dynamic-group MyInstancesPrincipalGroup to manage all-resources in compartment MyCompartment
Allow service oke to read app-catalog-listing in compartment MyCompartment
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in compartment VaultCompartment where target.secret.id = '<OCID for OCIR token secret>' 
Allow dynamic-group MyInstancesPrincipalGroup to use dynamic-groups in tenancy

The following sample policy grants the relevant permissions to a dynamic group, and is required if your network compartment is different than the stack compartment:

Allow dynamic-group MyInstancesPrincipalGroup to use subnets in compartment MyNetworkCompartment 
Allow dynamic-group MyInstancesPrincipalGroup to use vnics in compartment MyNetworkCompartment
Allow dynamic-group MyInstancesPrincipalGroup to inspect instance-family in compartment MyNetworkCompartment
The following sample policy grants access to the OS Management service:
Allow dynamic-group MyInstancesPrincipalGroup to use osms-managed-instances in compartment MyCompartment
Allow dynamic-group MyInstancesPrincipalGroup to read instance-family in compartment MyCompartment

See these topics in the Oracle Cloud Infrastructure documentation: