Configure Client-Side Encryption
Configure the required Identity and Access Management (IAM) policies to use client-side encryption with Customer-managed OCI Object Storage.
Overview
If you use client-side encryption, configure the required vault, key-delegate, and key policies.
Client-side encryption requires all three policies.
| Placeholder | Value |
|---|---|
<compartment_OCID> |
OCI compartment containing the vault and key |
<vault_OCID> |
Vault OCID |
<key_OCID> |
Encryption key OCID |
Sample Policies
Vault Policy
Allow any-user to use vaults in compartment id <compartment_OCID>
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.vault.id = '<vault_OCID>'
}
Key-Delegate Policy
Allow any-user to use key-delegate in compartment id <compartment_OCID>
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.key.id = '<key_OCID>'
}
Key Policy
Allow any-user to use keys in compartment id <compartment_OCID>
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.key.id = '<key_OCID>'
}
Example
Vault Policy
Allow any-user to use vaults in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.vault.id = 'ocid1.vault.oc1.phx.efuxveexaacj6.abyhqljraog3yx6clnxdcvrd2unaeotijtb3psv2z52ubfgopt3q7hwaz73a'
}
Key-Delegate Policy
Allow any-user to use key-delegate in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.key.id = 'ocid1.key.oc1.phx.efuxveexaacj6.abyhqljsipurnp3onwuzrpy5442jjt346uhfag6rovgyjrqku3b5i7dpbmyq'
}
Key Policy
Allow any-user to use keys in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where all {
request.principal.id = /urn_opc_resource_fusion_*/,
request.principal.id = /*_saas-batch_APPID/,
target.key.id = 'ocid1.key.oc1.phx.efuxveexaacj6.abyhqljsipurnp3onwuzrpy5442jjt346uhfag6rovgyjrqku3b5i7dpbmyq'
}