リソース・プリンシパル
Oracleでは、Full Stack Disaster Recoveryにリソース・プリンシパル・ベースの認証を使用して、追加の機能を使用することをお薦めします。リソース・プリンシパルを使用して、他のOracle Cloud Infrastructureリソースを認証およびアクセスします。リソース・プリンシパルを使用するには、ユーザーまたはテナンシ管理者が、プリンシパルがOracle Cloud InfrastructureリソースにアクセスできるようにするOracle Cloud Infrastructureポリシーおよび動的グループを定義する必要があります。
1. 次のように動的グループを作成します。
動的グループの3つのルールを次に示します。また、次の3つのルールのいずれかが一致する必要があります。
Any {instance.compartment.id = '<compartment_ocid>'}
All {resource.type='computecontainerinstance'}
ALL {resource.type='drprotectiongroup', resource.compartment.id='<compartment_ocid>'}
2. 次のように、動的グループのポリシーを作成します。
For Member Type: COMPUTE_INSTANCE_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to manage instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read virtual-network-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use subnets in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use vnics in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use network-security-groups in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use private-ips in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> use tag-namespaces in compartment <compartment_name>
For Member Type: COMPUTE_INSTANCE_NON_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to use instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
For Member Type: VOLUME_GROUP
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage databases in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: AUTONOMOUS_DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage autonomous-database-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: AUTONOMOUS_CONTAINER_DATABASE
Allow dynamic-group <Dynamic_group_Name> to manage autonomous-database-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update cloud-autonomous-vmclusters in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update autonomous-vmclusters in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to update autonomousContainerDatabaseDataguardAssociations in compartment <compartment_name>
For Member Type: OBJECT_STORAGE_BUCKET
Allow dynamic-group <Dynamic_group_Name> to manage object-family in compartment <compartment_name>
For Member Type: LOAD_BALANCER
Allow dynamic-group <Dynamic_group_Name> to manage load-balancers in compartment <compartment_name>
For Member Type: NETWORK_LOAD_BALANCER
Allow dynamic-group <Dynamic_group_Name> to manage network-load-balancers in compartment <compartment_name>
For Member Type: FILE_SYSTEM
Allow dynamic-group <Dynamic_group_Name> to manage file-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read vaults in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> read secret-family in compartment <compartment_name>
For Member Type: OKE_CLUSTER
Allow dynamic-group <Dynamic_group_Name> to manage compute-container-family in compartment <cluster_compartment>
Allow dynamic-group <Dynamic_group_Name> to manage object-family in compartment <compartment>
Allow dynamic-group <Dynamic_group_Name> to manage cluster-family in comparment <>
allow dynamic-group <Dynamic_group_Name> to manage cluster-virtualnode-pools in comparment <>
Virtual Node Pool
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader',
request.principal.cluster_id = '<Cluster_OCID>'}
Allow any-user to manage objects in tenancy where all { request.principal.type = 'workload',
request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator',
request.principal.cluster_id = '<Cluster_OCID>'}
For Member Type: MYSQL_DB_SYSTEM
Allow dynamic-group <Dynamic_group_Name> to manage mysql-family in comparment <>
For Step Type: FUNCTIONS
Allow dynamic-group <Dynamic_group_Name> to read fn-app in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read fn-function in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use fn-invocation in compartment <compartment_name>
For Step Type: USER_DEFINED_STEPS
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>
For DrPlanExecution
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read all-resources in tenancy
For Networking
Allow dynamic-group <Dynamic_group_Name> to read virtual-network-family in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use subnets in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use vnics in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use network-security-groups in compartment compartment_name
Allow dynamic-group <Dynamic_group_Name> to use private-ips in compartment compartment_name
For Tagging
Allow dynamic-group <Dynamic_group_Name> to use tag-namespaces in tenancy tenancy_name
For Log Location
Allow dynamic-group <Dynamic_group_Name> to manage buckets in compartment compartment_name
Allow group group_name to manage objects in compartment compartment_name
For Vault
Allow dynamic-group <Dynamic_group_Name> to read vaults in compartment compartment_name
Allow group group_name to read secret-family in compartment compartment_name
For Compartments
Allow dynamic-group <Dynamic_group_Name> to read all-resources in compartment <compartment_name or compartment_ocid>
前述のステップで作成したポリシーの詳細は、「Full Stack Disaster Recoveryで管理されるその他のサービスのポリシー」を参照してください。
親トピック: ポリシー