Oracle Cloud Infrastructure Documentation

IAM Policies - AWS

Create IAM policies required for migration.

Overview

AWS uses IAM policies to control access to AWS resources and APIs.

To migrate AWS assets to OCI, you must create AWS IAM policies. These policies grant necessary permissions required for migration. A dedicated AWS IAM user can first be created in your AWS account. The user is then added into an IAM user group having all AWS IAM policies assigned. Using Amazon IAM user group, permissions can be permanently assigned to a group of AWS IAM users.

AWS IAM policies are of two types, resource-based and identity-based. To allow access, an identity-based policy must allow certain permissions and resource-based policies must not disallow actions necessary for migration. When an IAM user has a role permitting action, but a resource has some policy which disallows the action explicitly, then AWS access manager prohibits the access. For more information on AWS IAM policies, see Policies and permissions in IAM.

AWS IAM roles temporarily grant access of your AWS account to Oracle Cloud Migration applications. If AWS IAM role option is chosen, then there is a need to manually update credentials after every 12 hours to prevent expiration. Every credential expiration blocks the migration. Although, the temporary credential update during migration is possible by editing the corresponding fields of an asset source in the OCI console.

Note

We recommend that you use long-term credentials with rotation.

A role assigned to an IAM user must have a policy that grants necessary permissions. In case of issues with particular EC2 instances or EBS volumes, there is need to ensure that there are no policies that explicitly prohibit access to the AWS resources in migration.

Supported Variables

Use variables when adding conditions to a policy.

The Migration service supports the following variables types:

  • Entity: Oracle Cloud Identifier (OCID)
  • String: Free-form text.
  • List: List of Entity, or String

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the Migration service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.
Dynamic Variables Type Description
request.principal.group.tag.<tagNS>.<tagKey> String The value of each tag on a group of which the principal is a member.
request.principal.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the principal.
target.resource.tag.<tagNS>.<tagKey> String The value of each tag on the target resource. The variable is computed based on tagSlug supplied by service on each request.
target.resource.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the target resource. The variable is computed based on tagSlug supplied by service on each request.

Creating a Policy

Review the steps required to create a policy.

Here's how you create a policy in the Oracle Cloud Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format: 

    allow <resource_type> to <verb> in <compartment or tenancy details>
  5. Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

For users to access the Oracle Cloud Migrations resources, see user policies. For using the Oracle Cloud Migrations service, see service policies.