Políticas do Compute Service e do Oracle Cloud Agent

For Member Type: COMPUTE_INSTANCE_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to manage instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read virtual-network-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use subnets in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use vnics in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use network-security-groups in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to use private-ips in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> use tag-namespaces in compartment <compartment_name>

For Member Type: COMPUTE_INSTANCE_NON_MOVABLE
Allow dynamic-group <Dynamic_group_Name> to use instance-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage volume-family in compartment <compartment_name>

For Step Type: USER_DEFINED_STEPS
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>

For DrPlanExecution
Allow dynamic-group <Dynamic_group_Name> to manage objects in compartment <compartment_name>
Allow dynamic-group <Dynamic_group_Name> to read all-resources in tenancy

1. Crie um novo grupo dinâmico e adicione a instância de computação a esse novo grupo dinâmico ou adicione a instância de computação a um grupo dinâmico existente. Você também pode adicionar o compartimento que contém a instância ao grupo dinâmico. Um grupo dinâmico permite agrupar instâncias com base em regras, que podem ser designadas a políticas. Consulte Criando Grupos Dinâmicos e Gerenciando Grupos Dinâmicos.

   Any {instance.compartment.id = 'ocid1.compartment.oc1..comp1', instance.compartment.id = 'ocid1.compartment.oc1..comp2'}

2. Crie políticas do serviço IAM associadas a este grupo dinâmico. Esta política do serviço IAM define quais ações o grupo dinâmico (e, portanto, as instâncias) podem executar. Consulte Criando Políticas para Grupos Dinâmicos

   Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to use instance-agent-command-execution-family in compartment <compute_compartment> 
   Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to use instance-agent-command-family in compartment <compute_compartment> 
   Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to manage objects in compartment <compute_compartment>
   

3. Configure privilégios de administrador na instância para que o comando de execução possa executar comandos como o usuário root no Linux ou o usuário administrator no Windows.

   Consulte Executando Comandos com Privilégios de Administrador.