Oracle Cloud Migrations Service Policies

Oracle Cloud Migrations service policies are required for using the migration service.

A policy syntax is as follows:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see Policy Syntax. For more information on creating policies, see how policies work, Policy Reference, and policy details for Object Storage.

See the instructions for creating policies using the Console.

Policy Builder

Oracle Cloud Migrations supports Policy Builder. The policy builder in the Cloud Console helps you quickly create common policies without the need to manually type the policy statements. To create policies using policy builder, see Writing Policy Statements with the Policy Builder.

In the Policy Builder, select the policy use cases for Oracle Cloud Migrations. Following predefined policy templates are available for creating the service policies:

Migration Policies

Dynamic groups and IAM policies for the migration service.

  • Create dynamic groups for the migration service. You can name the dynamic group as, for example, MigrationDynamicGroup and replace compartmentOCID with the OCID of your migration compartment:
    ALL {resource.type = 'ocmmigration', resource.compartment.id = '<migration_compartment_ocid>'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create all of the following IAM policies to allow the Migration service to read or manage your OCI resources in specific compartments or in your tenancy:
    Allow dynamic-group MigrationDynamicGroup to manage instance-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage compute-image-capability-schema in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage virtual-network-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage volume-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage object-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to read ocb-inventory in tenancy
    Allow dynamic-group MigrationDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to {OCB_CONNECTOR_READ, OCB_CONNECTOR_DATA_READ, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_CONNECTOR_DATA_UPDATE } in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to {INSTANCE_IMAGE_INSPECT, INSTANCE_IMAGE_READ} in tenancy
    Allow dynamic-group MigrationDynamicGroup {INSTANCE_INSPECT} in tenancy where any {request.operation='ListShapes'}
    Allow dynamic-group MigrationDynamicGroup {DEDICATED_VM_HOST_READ} in tenancy where any {request.operation='GetDedicatedVmHost'}
    Allow dynamic-group MigrationDynamicGroup {CAPACITY_RESERVATION_READ} in tenancy where any {request.operation='GetComputeCapacityReservation'}
    Allow dynamic-group MigrationDynamicGroup {ORGANIZATIONS_SUBSCRIPTION_INSPECT} in tenancy where any {request.operation='ListSubscriptions'}
    Allow dynamic-group MigrationDynamicGroup to read rate-cards in tenancy
    Allow dynamic-group MigrationDynamicGroup to read metrics in tenancy where target.metrics.namespace='ocb_asset'
    Allow dynamic-group MigrationDynamicGroup to read tag-namespaces in tenancy
    Allow dynamic-group MigrationDynamicGroup to use tag-namespaces in tenancy where target.tag-namespace.name='CloudMigrations'

Discovery Policies

Dynamic groups and IAM policies for the discovery service.

  • Create all of the following IAM policies to allow the discovery service to read or manage resources in specific compartments or in your tenancy:
    Allow service ocb-discovery to inspect compartments in compartment <migration_compartment_name>
    Allow service ocb-discovery to read ocb-environments in compartment <migration_compartment_name>
    Allow service ocb-discovery to read ocb-inventory in tenancy
    Allow service ocb-discovery to manage ocb-inventory-asset in compartment <migration_compartment_name>
    Allow service ocb-discovery to {TENANCY_INSPECT} in tenancy

Creating a Dynamic Group

Create dynamic groups for the discovery service. As an example, you can name the dynamic group as
ALL { resource.type = 'ocbassetsource' }
Create all of the following IAM policies to allow the migration service to read or manage your OCI resources in specific compartments or in your tenancy:
Allow dynamic-group DiscoveryDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
Allow dynamic-group DiscoveryDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'

For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

Hydration Agent Policies

Dynamic groups and IAM policies for the hydration agent.

  • Create dynamic groups for the hydration agent. You can name the dynamic group as, for example, HydrationAgentDynamicGroup and replace compartmentOCID with the OCID of your migration compartment:
    ALL {instance.compartment.id = '<migration_compartment_ocid>'}
  • For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create the following IAM policies in specific compartments or in your tenancy to provide permissions to the hydration agent to pull snapshots from OCI Object Storage and call the migration service hydration APIs:
    Define tenancy OCM-SERVICE AS <ocm_service_tenancy_ocid_for_realm>     
    Endorse dynamic-group HydrationAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCM-SERVICE where all { target.bucket.name = 'tenancy_ocid' }
    Allow dynamic-group HydrationAgentDynamicGroup to {OCM_HYDRATION_AGENT_TASK_INSPECT, OCM_HYDRATION_AGENT_TASK_UPDATE, OCM_HYDRATION_AGENT_REPORT_STATUS} in compartment <migration_compartment_name>
    Allow dynamic-group HydrationAgentDynamicGroup to manage objects in compartment <migration_compartment_name>
    Allow dynamic-group HydrationAgentDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
Note

The value of ocm_service_tenancy_for_realm for the OC1 realm is mentioned below. If your tenancy is located in a realm other than OC1, contact Oracle Support for the correct service tenancy OCID. ocid1.tenancy.oc1..aaaaaaaartv6j5muce2s4djz7rvfn2vwceq3cnue33d72isntnlfmi7huv7q