OCI Cache IAM Policies
Learn about the required IAM policies and permission details for OCI Cache.
User Permissions
To create or manage a cluster, users require permissions to access to create and manage the required Networking resources in addition to permissions to create and manage OCI Cache resources. The following policy example grants these permissions to the ClusterAdmins group:
Allow group ClusterAdmins to manage redis-family in compartment <YOUR_COMPARTMENT>
Allow group ClusterAdmins to manage virtual-network-family in compartment <YOUR_COMPARTMENT>You can configure these permissions with more granularity, see Sample Policies.
Resource Types
OCI Cache offers both aggregate and individual resource-types for writing policies.
- Aggregate resource type:
redis-family - Individual resource types:
redis-clusters redis-work-requests
You can use the aggregate resource type to write fewer policies. A policy that uses
redis-family is the same as a policy that uses separate statements for
each of the individual resource types.
Permissions Required for Each API Operation
The following table lists the API operations for OCI Cache in a logical order, grouped by resource-type.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListRedisClusters
|
REDIS_CLUSTER_INSPECT |
GetRedisCluster
|
REDIS_CLUSTER_READ |
CreateRedisCluster |
REDIS_CLUSTER_MANAGE |
ListAttachedOciCacheUsers
|
REDIS_CLUSTER_USE |
UpdateRedisCluster
|
REDIS_CLUSTER_USE |
ChangeRedisClusterCompartment
|
REDIS_CLUSTER_USE |
DeleteRedisCluster |
REDIS_CLUSTER_MANAGE |
ListOciCacheUsers
|
OCI_CACHE_USER_INSPECT |
GetOciCacheUser |
OCI_CACHE_USER_READ |
CreateOciCacheUser
|
OCI_CACHE_USER_MANAGE |
UpdateOciCacheUser
|
OCI_CACHE_USER_USE |
ChangeOciCacheUserCompartment
|
OCI_CACHE_USER_USE |
DeleteOciCacheUser |
OCI_CACHE_USER_MANAGE |
AttachOciCacheUsers
|
REDIS_CLUSTER_USE, OCI_CACHE_USER_USE |
DetachOciCacheUsers
|
REDIS_CLUSTER_USE, OCI_CACHE_USER_USE |
Generate Token for OCI Cache User
|
REDIS_CLUSTER_USE, OCI_CACHE_USER_USE |
ListWorkRequests
|
REDIS_WORK_REQUEST_INSPECT |
ListWorkRequestErrors
|
REDIS_WORK_REQUEST_READ |
ListWorkRequestLogs
|
REDIS_WORK_REQUEST_READ |
GetWorkRequest
|
REDIS_WORK_REQUEST_READ |
DeleteWorkRequest |
REDIS_WORK_REQUEST_MANAGE |
Sample Policies
The following policies let the group ClusterAdmins use and manage OCI Cache resources.
- Allows use-only access to VCNs, compartments, and subnets only.
-
Allow group ClusterAdmins to use compartments in tenancy -
Allow group ClusterAdmins to use vcns in compartment <USER_NETWORK_COMPARTMENT_NAME> -
Allow group ClusterAdmins to use subnet in compartment <USER_NETWORK_COMPARTMENT_NAME> -
Allow group ClusterAdmins to use network-security-groups in compartment <USER_NETWORK_COMPARTMENT_NAME> -
Allow group ClusterAdmins to use vcns in compartment <USER_ENGINEERING_COMPARTMENT_NAME>
Note
The VCNs are located in the Network compartment, while clusters are in the Engineering compartment. -
- Allows use-only access to VNICs in the Engineering compartment. For example:
Allow group ClusterAdmins to use VNICs in compartment <USER_ENGINEERING_COMPARTMENT_NAME> - Allows manage permission to create or update private endpoints. For example:
-
Allow group ClusterAdmins to manage redis-family in compartment <USER_ENGINEERING_COMPARTMENT_NAME> -
Allow group ClusterAdmins to manage redis-work-requests in compartment <USER_ENGINEERING_COMPARTMENT_NAME> -
Allow group ClusterAdmins to manage vcns in compartment <USER_NETWORK_COMPARTMENT_NAME> where ALL{ ANY { request.operation = 'CreatePrivateEndpoint', request.operation = 'UpdatePrivateEndpoint', request.operation ='DeletePrivateEndpoint', request.operation = 'EnableReverseConnection', request.operation = 'ModifyReverseConnection', request.operation = 'DisableReverseConnection' } , ANY {request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster' } }
-
- (Optional) Allows traffic on Redis ports. For example:
Allow group ClusterAdmins to manage security-lists in compartment <USER_NETWORK_COMPARTMENT_NAME> where ANY { request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster' }Note
If the policy isn't provided, you must add security rules and allow TCP traffic for ports, 6379.
The following policy lets the group ClusterUsers use clusters, but restrict other access:
Allow group ClusterUsers to use redis-clusters in compartment <USER_COMPARTMENT>The following policy lets the group CacheUsers use OCI Cache users:
Allow group CacheUsers to use oci-cache-users in compartment <USER_COMPARTMENT>The following policy allows manage permission to attach and detach private endpoints:
Allow group ClusterAdmins to manage vcns in compartment <USER_NETWORK_COMPARTMENT_NAME> where ALL{ ANY
{ request.operation = 'CreatePrivateEndpoint', request.operation = 'UpdatePrivateEndpoint', request.operation ='DeletePrivateEndpoint', request.operation = 'EnableReverseConnection', request.operation = 'ModifyReverseConnection', request.operation = 'DisableReverseConnection' }
, ANY {request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster', request.operation = 'AttachOciCacheUsers', request.operation = 'DetachOciCacheUsers' } }The following policy allows traffic on Redis ports for attach and detach:
Allow group ClusterAdmins to manage security-lists in compartment <USER_NETWORK_COMPARTMENT_NAME> where ANY
{ request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster', request.operation = 'AttachOciCacheUsers', request.operation = 'DetachOciCacheUsers'}If you're new to policies, see Getting Started with Policies and Common Policies.