Calling Services from an Instance
This topic describes how you can authorize Compute instances to call services in Oracle Cloud Infrastructure.
Introduction
This procedure describes how you can authorize a Compute instance to make API calls in Oracle Cloud Infrastructure services. After you set up the required resources and policies, an application running on an instance can call Oracle Cloud Infrastructure public services, removing the need to configure user credentials or a configuration file.
Concepts
- DYNAMIC GROUP
- Dynamic groups allow you to group Oracle Cloud Infrastructure Compute instances as principal actors, similar to user groups. You can then create policies to permit instances in these groups to make API calls against Oracle Cloud Infrastructure services. Membership in the group is determined by a set of criteria you define, called matching rules.
- MATCHING RULE
- When you set up a dynamic group, you also define the rules for membership in the group. Resources that match the rule criteria are members of the dynamic group. Matching rules have a specific syntax you follow. See Writing Matching Rules to Define Dynamic Groups.
- INSTANCE PRINCIPALS
- The IAM service feature that enables Compute instances to be authorized actors (or principals) to perform actions on service resources. Each Compute instance has its own identity, and it authenticates using the certificates that are added to it. These certificates are automatically created, assigned to instances and rotated, preventing the need for you to distribute credentials to your hosts and rotate them.
Security Considerations
Any user who has access to the Compute instance (who can SSH to the instance), automatically inherits the privileges granted to the instance. Before you grant permissions to an instance using the process described in this topic, ensure that you know who can access it (either because they have the SSH key or you added them as users to the instance), and that they should be authorized with the permissions you are granting to the instance.
All Compute instance principals are granted the
compartment_inspect
permission. You cannot revoke this permission.
This permission allows the instance to ListCompartments in the tenancy to retrieve the
following information:
- Compartment names
- Compartment descriptions
- Free-form tags applied to compartments
- Automatic tag defaults applied to compartments. These tags, such as CreatedBy and CreatedOn, are in the Oracle-Tag namespace and are automatically added by Oracle.