Oracle Cloud Migrations Service Policies

Oracle Cloud Migrations service policies are required for using the migration service.

A policy syntax is as follows:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see Policy Syntax. For more information on creating policies, see how policies work, Policy Reference, and policy details for Object Storage.

See the instructions for creating policies using the Console.

Policy Builder

Oracle Cloud Migrations supports Policy Builder. The policy builder in the Cloud Console helps you quickly create common policies without the need to manually type the policy statements. To create policies using policy builder, see Writing Policy Statements with the Policy Builder.

In the Policy Builder, select the policy use cases for Oracle Cloud Migrations. Following predefined policy templates are available for creating the service policies:

Migration Policies

Dynamic groups and IAM policies for the migration service.

  • Create dynamic groups for the migration service. You can name the dynamic group as, for example, MigrationDynamicGroup and replace compartmentOCID with the OCID of your migration compartment:
    ALL {resource.type = 'ocmmigration', resource.compartment.id = '<migration_compartment_ocid>'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create all of the following IAM policies to allow the Migration service to read or manage your OCI resources in specific compartments or in your tenancy:
    Allow dynamic-group MigrationDynamicGroup to manage instance-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage compute-image-capability-schema in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage virtual-network-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage volume-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to manage object-family in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to read ocb-inventory in tenancy
    Allow dynamic-group MigrationDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to {OCB_CONNECTOR_READ, OCB_CONNECTOR_DATA_READ, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_CONNECTOR_DATA_UPDATE } in compartment <migration_compartment_name>
    Allow dynamic-group MigrationDynamicGroup to {INSTANCE_IMAGE_INSPECT, INSTANCE_IMAGE_READ} in tenancy
    Allow dynamic-group MigrationDynamicGroup {INSTANCE_INSPECT} in tenancy where any {request.operation='ListShapes'}
    Allow dynamic-group MigrationDynamicGroup {DEDICATED_VM_HOST_READ} in tenancy where any {request.operation='GetDedicatedVmHost'}
    Allow dynamic-group MigrationDynamicGroup {CAPACITY_RESERVATION_READ} in tenancy where any {request.operation='GetComputeCapacityReservation'}
    Allow dynamic-group MigrationDynamicGroup {ORGANIZATIONS_SUBSCRIPTION_INSPECT} in tenancy where any {request.operation='ListSubscriptions'}
    Allow dynamic-group MigrationDynamicGroup to read rate-cards in tenancy
    Allow dynamic-group MigrationDynamicGroup to read metrics in tenancy where target.metrics.namespace='ocb_asset'
    Allow dynamic-group MigrationDynamicGroup to read tag-namespaces in tenancy
    Allow dynamic-group MigrationDynamicGroup to use tag-namespaces in tenancy where target.tag-namespace.name='CloudMigrations'

Discovery Policies

Dynamic groups and IAM policies for the discovery service.

  • Create all of the following IAM policies to allow the discovery service to read or manage resources in specific compartments or in your tenancy:
    Allow service ocb-discovery to inspect compartments in compartment <migration_compartment_name>
    Allow service ocb-discovery to read ocb-environments in compartment <migration_compartment_name>
    Allow service ocb-discovery to read ocb-agents in compartment <migration_compartment_name>
    Allow service ocb-discovery to read ocb-inventory in tenancy
    Allow service ocb-discovery to manage ocb-inventory-asset in compartment <migration_compartment_name>
    Allow service ocb-discovery to {TENANCY_INSPECT} in tenancy

Remote Agent Policies

Create the following dynamic groups and IAM policies for the remote agent.

  • Create dynamic groups for the remote agent. You can name the dynamic group as, for example, RemoteAgentDynamicGroup:
    ALL {resource.type = 'ocbagent'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create all of the following IAM policies to allow the remote agent to use, read, or manage your OCI resources in specific compartments or in your tenancy:
    Define tenancy OCB-SERVICE as <ocb_service_tenancy_ocid_for_realm>
    Endorse dynamic-group RemoteAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCB-SERVICE
    Allow dynamic-group RemoteAgentDynamicGroup to manage buckets in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to manage object-family in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to {OCM_REPLICATION_TASK_READ, OCM_REPLICATION_TASK_UPDATE} in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to manage ocb-inventory in tenancy
    Allow dynamic-group RemoteAgentDynamicGroup to manage ocb-inventory-asset in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
    Allow dynamic-group RemoteAgentDynamicGroup to { OCM_CONNECTOR_INSPECT, OCM_ASSET_SOURCE_READ, OCM_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to { OCB_AGENT_INSPECT, OCB_AGENT_SYNC, OCB_AGENT_READ, OCB_AGENT_DEPENDENCY_INSPECT, OCB_AGENT_DEPENDENCY_READ, OCB_AGENT_KEY_UPDATE, OCB_AGENT_TASK_READ, OCB_AGENT_ASSET_SOURCES_INSPECT, OCB_AGENT_TASK_UPDATE } in compartment <migration_compartment_name>
    Allow dynamic-group RemoteAgentDynamicGroup to { OCB_ASSET_SOURCE_INSPECT, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_ASSET_HANDLES_PUSH, OCB_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
Note

The ocb_service_tenancy_ocid_for_realm for the OC1 realm has the following value:ocid1.tenancy.oc1..aaaaaaaahr2xcduf4knzkzhkzt442t66bpqt3aazss6cy2ll6x4xj3ci7tiq.

If your tenancy is located in a realm other than OC1, contact Oracle Support for the correct service tenancy OCID.

Discovery Plugin Policies

Dynamic groups and IAM policies for the discovery plugin.

  • Create dynamic groups for the discovery plugin. You can name the dynamic group as, for example, DiscoveryPluginDynamicGroup:
    ALL {resource.type = 'ocbagent'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create all of the following IAM policies to allow the discovery plugin to use, read or manage resources in specific compartments or in your tenancy:
    Allow dynamic-group DiscoveryPluginDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
    Allow dynamic-group DiscoveryPluginDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
    Allow dynamic-group DiscoveryPluginDynamicGroup to read ocb-inventory in tenancy
    Allow dynamic-group DiscoveryPluginDynamicGroup to manage ocb-inventory-asset in compartment <migration_compartment_name>
    Allow dynamic-group DiscoveryPluginDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
    Allow dynamic-group DiscoveryPluginDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'

Replication Plugin Policies

Dynamic groups and IAM policies for the replication plugin.

  • Create dynamic groups for the replication plugin. You can name the dynamic group as, for example, ReplicationPluginDynamicGroup:
    ALL {resource.type = 'ocbagent'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create the following IAM policies in specific compartments or in your tenancy for the replication plugin to post snapshots to OCI Object Storage and call the migration service replication APIs:
    Allow dynamic-group ReplicationPluginDynamicGroup to { OCM_REPLICATION_TASK_INSPECT, OCM_REPLICATION_TASK_READ, OCM_REPLICATION_TASK_UPDATE, OCM_CONNECTOR_INSPECT, OCM_ASSET_SOURCE_READ, OCM_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
    Allow dynamic-group ReplicationPluginDynamicGroup to { BUCKET_INSPECT, BUCKET_READ, OBJECTSTORAGE_NAMESPACE_READ, OBJECT_CREATE, OBJECT_DELETE, OBJECT_INSPECT, OBJECT_OVERWRITE, OBJECT_READ } in compartment <migration_compartment_name> where all {target.bucket.name='<REPLICATION_SNAPSHOTS_BUCKET>'}
    Allow dynamic-group ReplicationPluginDynamicGroup to read secret-family in compartment <migrationsecret_compartment_name>
    Allow dynamic-group ReplicationPluginDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
    Allow dynamic-group ReplicationPluginDynamicGroup to {OCB_AGENT_INSPECT, OCB_AGENT_SYNC, OCB_AGENT_READ, OCB_AGENT_DEPENDENCY_INSPECT, OCB_AGENT_DEPENDENCY_READ, OCB_AGENT_KEY_UPDATE, OCB_AGENT_TASK_READ, OCB_AGENT_ASSET_SOURCES_INSPECT, OCB_AGENT_TASK_UPDATE} in tenancy
    Allow dynamic-group ReplicationPluginDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
    Allow dynamic-group ReplicationPluginDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
    Allow dynamic-group ReplicationPluginDynamicGroup to read ocb-inventory in tenancy
    Allow dynamic-group ReplicationPluginDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name>

Hydration Agent Policies

Dynamic groups and IAM policies for the hydration agent.

  • Create dynamic groups for the hydration agent. You can name the dynamic group as, for example, HydrationAgentDynamicGroup and replace compartmentOCID with the OCID of your migration compartment:
    ALL {instance.compartment.id = '<migration_compartment_ocid>'}

    For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

  • Create the following IAM policies in specific compartments or in your tenancy to provide permissions to the hydration agent to pull snapshots from OCI Object Storage and call the migration service hydration APIs:
    Define tenancy OCM-SERVICE AS <ocm_service_tenancy_ocid_for_realm>     
    Endorse dynamic-group HydrationAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCM-SERVICE where all { target.bucket.name = 'tenancy_ocid' }
    Allow dynamic-group HydrationAgentDynamicGroup to {OCM_HYDRATION_AGENT_TASK_INSPECT, OCM_HYDRATION_AGENT_TASK_UPDATE, OCM_HYDRATION_AGENT_REPORT_STATUS} in compartment <migration_compartment_name>
    Allow dynamic-group HydrationAgentDynamicGroup to read objects in compartment <migration_compartment_name>
Note

The ocm_service_tenancy_ocid_for_realm for the OC1 realm has the following value: ocid1.tenancy.oc1..aaaaaaaartv6j5muce2s4djz7rvfn2vwceq3cnue33d72isntnlfmi7huv7q.

If your tenancy is located in a realm other than OC1, contact Oracle Support for the correct service tenancy OCID.