Configure Server-Side Encryption with Customer-Managed Keys

Configure the required Identity and Access Management (IAM) policy to allow Customer-managed OCI Object Storage to use customer-managed encryption keys.

Overview

If you use Customer-managed keys for encryption, configure the required IAM policy to allow Object Storage to access the encryption key.

This policy is required only when Customer-managed keys is selected in the Encryption field.

Placeholder Values

Placeholder Values

Placeholder Value
<region_name>
OCI region name (for example, us-phoenix-1)
<compartment_OCID>
OCI compartment containing the encryption key
<key_OCID>
Encryption key OCID

Sample Policy

Allow service objectstorage-<region_name> to use keys in compartment id <compartment_OCID>
where target.key.id = <key_OCID>

Example

Allow service objectstorage-us-phoenix-1 to use keys in compartment id ocid1.compartment.oc1..aaaaaaaatc7w5ll7vftzusdcs7fl7i6cgfu4sp42qvgjsvljnuvbvx4gvwhq
where target.key.id = 'ocid1.key.oc1.phx.efuxveexaacj6.abyhqljsipurnp3onwuzrpy5442jjt346uhfag6rovgyjrqku3b5i7dpbmyq'