Configure Client-Side Encryption

Configure the required Identity and Access Management (IAM) policies to use client-side encryption with Customer-managed OCI Object Storage.

Overview

If you use client-side encryption, configure the required vault, key-delegate, and key policies.

Client-side encryption requires all three policies.

Placeholder Values

Placeholder Value
<compartment_OCID>
OCI compartment containing the vault and key
<vault_OCID>
Vault OCID
<key_OCID>
Encryption key OCID

Sample Policies

Vault Policy

Allow any-user to use vaults in compartment id <compartment_OCID>
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.vault.id = '<vault_OCID>'
}

Key-Delegate Policy

Allow any-user to use key-delegate in compartment id <compartment_OCID>
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.key.id = '<key_OCID>'
}

Key Policy

Allow any-user to use keys in compartment id <compartment_OCID>
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.key.id = '<key_OCID>'
}

Example

Vault Policy

Allow any-user to use vaults in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.vault.id = 'ocid1.vault.oc1.phx.efuxveexaacj6.abyhqljraog3yx6clnxdcvrd2unaeotijtb3psv2z52ubfgopt3q7hwaz73a'
}

Key-Delegate Policy

Allow any-user to use key-delegate in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.key.id = 'ocid1.key.oc1.phx.efuxveexaacj6.abyhqljsipurnp3onwuzrpy5442jjt346uhfag6rovgyjrqku3b5i7dpbmyq'
}

Key Policy

Allow any-user to use keys in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
  request.principal.id = /urn_opc_resource_fusion_*/,
  request.principal.id = /*_saas-batch_APPID/,
  target.key.id = 'ocid1.key.oc1.phx.efuxveexaacj6.abyhqljsipurnp3onwuzrpy5442jjt346uhfag6rovgyjrqku3b5i7dpbmyq'
}