Create Dynamic Groups and Policies
When you create a stack, by default the OCI Policies check box is selected and Oracle WebLogic Server for OKE creates the dynamic groups and policies.
Allow group MyGroup to manage dynamic-groups in tenancy
Allow group MyGroup to manage policies in tenancy
If you do not belong to a group that has the policies listed above, then you need to clear the OCI Policies check box and create a dynamic group and the required polices.
Create a Dynamic Group
Create a dynamic group in Oracle Cloud Infrastructure whose members are the compute instances that Oracle WebLogic Server for OKE will create for a stack.
The dynamic group is necessary for the compute instances to access encryption keys in Key Management, and also to access the database wallet if you're using Oracle Autonomous Database.
During stack creation for a domain, Oracle WebLogic Server for OKE creates compute instances in a compartment you select. This compartment's OCID must be listed in a dynamic group before users who are not administrators can create resources for the stack in the specified compartment.
One or more compartments can be listed in a dynamic group.
See Managing Dynamic Groups in the Oracle Cloud Infrastructure documentation.
Create Policies for the Dynamic Group
Create policies in Oracle Cloud Infrastructure so that the compute instances in Oracle WebLogic Server for OKE can access your encryption key.
When you create a stack, compute instances in Oracle WebLogic Server for OKE need to access Oracle Cloud Infrastructure Vault secrets. If a load balancer is enabled, access to network resources is required.
The following sample policy grants the relevant permissions to a dynamic group:
Allow dynamic-group MyInstancesPrincipalGroup to manage all-resources in compartment MyCompartment
Allow service oke to read app-catalog-listing in compartment MyCompartment
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in compartment VaultCompartment where target.secret.id = '<OCID for OCIR token secret>'
Allow dynamic-group MyInstancesPrincipalGroup to use dynamic-groups in tenancy
The following sample policy grants the relevant permissions to a dynamic group, and is required if your network compartment is different than the stack compartment:
Allow dynamic-group MyInstancesPrincipalGroup to use subnets in compartment MyNetworkCompartment
Allow dynamic-group MyInstancesPrincipalGroup to use vnics in compartment MyNetworkCompartment
Allow dynamic-group MyInstancesPrincipalGroup to inspect instance-family in compartment MyNetworkCompartment
Allow dynamic-group MyInstancesPrincipalGroup to use osms-managed-instances in compartment MyCompartment
Allow dynamic-group MyInstancesPrincipalGroup to read instance-family in compartment MyCompartment
See these topics in the Oracle Cloud Infrastructure documentation: