Container Instances IAM Policies
This topic covers details for writing policies to control access to Oracle Cloud Infrastructure Container Instances.
For information about IAM, see Overview of IAM.
Resource-Types
Individual Resource-Types
compute-container-instances
compute-containers
Aggregate Resource-Type
compute-container-family
Comments
A policy that uses <verb> compute-container-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.
Supported Variables
Container Instances IAM policies support all the general policy variables. See General Variables for All Requests.
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read and use verbs for the vcns resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes several extra permissions and API operations.
For compute-container-family Resource Types
The following tables list the permissions and API operations covered by each of the individual resource-types included in compute-container-family.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
COMPUTE_CONTAINER_INSTANCE_INSPECT |
ListContainerInstanceShapes ListContainerInstances ListWorkRequests ListWorkRequestErrors ListWorkRequestLogs |
none |
| read |
INSPECT + COMPUTE_CONTAINER_INSTANCE_READ |
GetWorkRequest |
GetContainerInstance (also need |
| use |
READ + COMPUTE_CONTAINER_INSTANCE_UPDATE COMPUTE_CONTAINER_INSTANCE_START COMPUTE_CONTAINER_INSTANCE_STOP COMPUTE_CONTAINER_INSTANCE_RESTART |
UpdateContainerInstance StartContainerInstance StopContainerInstance RestartContainerInstance |
no extra |
| manage |
USE + COMPUTE_CONTAINER_INSTANCE_CREATE COMPUTE_CONTAINER_INSTANCE_DELETE COMPUTE_CONTAINER_INSTANCE_MOVE |
ChangeContainerInstanceCompartment |
CreateContainerInstance (also need DeleteContainerInstance (also need |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
COMPUTE_CONTAINER_INSPECT |
ListContainers |
GetContainerInstance (also need |
| read |
INSPECT + COMPUTE_CONTAINER_READ |
GetContainer |
no extra |
| use |
READ + COMPUTE_CONTAINER_UPDATE COMPUTE_CONTAINER_LOG_RETRIEVE |
UpdateContainer RetrieveLogs |
no extra |
| manage |
USE + COMPUTE_CONTAINER_CREATE COMPUTE_CONTAINER_DELETE |
no extra |
CreateContainerInstance (also need DeleteContainerInstance (also need |
Permissions Required for Each API Operation
The following table lists the API operations grouped by resource type. The resource types are listed in alphabetical order.
For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
| GetContainer | COMPUTE_CONTAINER_READ |
| ListContainers | COMPUTE_CONTAINER_INSPECT |
| RetrieveLogs | COMPUTE_CONTAINER_LOG_RETRIEVE |
| UpdateContainer | COMPUTE_CONTAINER_UPDATE |
| CreateContainerInstance | COMPUTE_CONTAINER_INSTANCE_CREATE and VNIC_CREATE and SUBNET_USE and COMPUTE_CONTAINER_CREATE |
| GetContainerInstance | COMPUTE_CONTAINER_INSTANCE_READ and COMPUTE_CONTAINER_INSPECT |
| ListContainerInstances | COMPUTE_CONTAINER_INSTANCE_INSPECT |
| ListContainerInstanceShapes | COMPUTE_CONTAINER_INSTANCE_INSPECT |
| UpdateContainerInstance | COMPUTE_CONTAINER_INSTANCE_UPDATE |
| StartContainerInstance | COMPUTE_CONTAINER_INSTANCE_START |
| StopContainerInstance | COMPUTE_CONTAINER_INSTANCE_STOP |
| RestartContainerInstance | COMPUTE_CONTAINER_INSTANCE_RESTART |
| ChangeContainerInstanceCompartment | COMPUTE_CONTAINER_INSTANCE_MOVE |
| DeleteContainerInstance | COMPUTE_CONTAINER_INSTANCE_DELETE and VNIC_DELETE and SUBNET_USE and COMPUTE_CONTAINER_DELETE |
| GetWorkRequest | COMPUTE_CONTAINER_INSTANCE_READ |
| ListWorkRequestLogs | COMPUTE_CONTAINER_INSTANCE_INSPECT |
| ListWorkRequestErrors | COMPUTE_CONTAINER_INSTANCE_INSPECT |
| ListWorkRequests | COMPUTE_CONTAINER_INSTANCE_INSPECT |
Policy Examples
Use the following example to construct policies for your tenancy.
Let users create container instances
Type of access: Ability to do everything with container instances launched into the cloud network and subnets in compartment XYZ.
Where to create the policy: The easiest approach is to put this policy in the tenancy. If you want the admins of the individual compartments (ABC and XYZ) to have control over the individual policy statements for their compartments, see Policy Attachment.
Allow group ContainerInstanceLaunchers to manage compute-container-family in compartment ABC
Allow group ContainerInstanceLaunchers to use virtual-network-family in compartment XYZ
Allow group ContainerInstanceLaunchers to read repos in tenancyTo allow users to create new cloud networks and subnets, see Let network admins manage a cloud network.
Let Container Instances pull images from Container Registry
Type of access: Allows the Container Instances service the ability to read images from Container Registry private repositories.
Where to create the policy: The easiest approach is to put this policy in the tenancy.
- Create a dynamic group with Container Instances as the resource type. Add a rule with the following syntax:
ALL {resource.type='computecontainerinstance'} -
Write the following policy to grant access for the dynamic group:
Allow dynamic-group ContainerInstanceDynamicGroup to read repos in tenancy
Selecting the container image using the Console
Type of access: When you create your container instance in the Console, you can select the container image. To generate the correct address of the container image, you need to add this policy to read object storage namespaces.
Where to create the policy: The easiest approach is to put this policy in the tenancy.
Allow group ContainerInstanceLaunchers to read objectstorage-namespaces in tenancy