DevOps IAM Policies

Create IAM policies to control who has access to DevOps resources, and to control the type of access for each group of users.

Before you can control access to DevOps resources such as code repositories, build pipelines, and deployment pipelines, you must create users and place them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control the access (see Managing Policies).

By default, users in the Administrators group have access to all the DevOps resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

This section explains the following topics:

Resource Types and Permissions

List of DevOps resource types and associated permissions.

To assign permissions to all DevOps resources, use the devops-family aggregate type. For more information, see Permissions.

A policy that uses <verb> devops-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
devops-project	DEVOPS_PROJECT_INSPECT DEVOPS_PROJECT_READ DEVOPS_PROJECT_UPDATE DEVOPS_PROJECT_CREATE DEVOPS_PROJECT_DELETE DEVOPS_PROJECT_MOVE
devops-deploy-artifact	DEVOPS_DEPLOY_ARTIFACT_INSPECT DEVOPS_DEPLOY_ARTIFACT_READ DEVOPS_DEPLOY_ARTIFACT_UPDATE DEVOPS_DEPLOY_ARTIFACT_CREATE DEVOPS_DEPLOY_ARTIFACT_DELETE
devops-deploy-environment	DEVOPS_DEPLOY_ENVIRONMENT_INSPECT DEVOPS_DEPLOY_ENVIRONMENT_READ DEVOPS_DEPLOY_ENVIRONMENT_UPDATE DEVOPS_DEPLOY_ENVIRONMENT_CREATE DEVOPS_DEPLOY_ENVIRONMENT_DELETE
devops-deploy-pipeline	DEVOPS_DEPLOY_PIPELINE_INSPECT DEVOPS_DEPLOY_PIPELINE_READ DEVOPS_DEPLOY_PIPELINE_UPDATE DEVOPS_DEPLOY_PIPELINE_CREATE DEVOPS_DEPLOY_PIPELINE_DELETE
devops-deploy-stage	DEVOPS_DEPLOY_STAGE_INSPECT DEVOPS_DEPLOY_STAGE_READ DEVOPS_DEPLOY_STAGE_UPDATE DEVOPS_DEPLOY_STAGE_CREATE DEVOPS_DEPLOY_STAGE_DELETE
devops-deployment	DEVOPS_DEPLOY_DEPLOYMENT_INSPECT DEVOPS_DEPLOY_DEPLOYMENT_READ DEVOPS_DEPLOY_DEPLOYMENT_UPDATE DEVOPS_DEPLOY_DEPLOYMENT_CREATE DEVOPS_DEPLOY_DEPLOYMENT_DELETE DEVOPS_DEPLOY_DEPLOYMENT_CANCEL DEVOPS_DEPLOY_DEPLOYMENT_APPROVE
devops-work-requests	DEVOPS_WORK_REQUEST_INSPECT DEVOPS_WORK_REQUEST_READ
devops-repository	DEVOPS_REPOSITORY_INSPECT DEVOPS_REPOSITORY_READ DEVOPS_REPOSITORY_UPDATE DEVOPS_REPOSITORY_CREATE DEVOPS_REPOSITORY_DELETE
devops-build-pipeline	DEVOPS_BUILD_PIPELINE_INSPECT DEVOPS_BUILD_PIPELINE_READ DEVOPS_BUILD_PIPELINE_UPDATE DEVOPS_BUILD_PIPELINE_CREATE DEVOPS_BUILD_PIPELINE_DELETE
devops-build-pipeline-stage	DEVOPS_BUILD_PIPELINE_STAGE_INSPECT DEVOPS_BUILD_PIPELINE_STAGE_READ DEVOPS_BUILD_PIPELINE_STAGE_UPDATE DEVOPS_BUILD_PIPELINE_STAGE_CREATE DEVOPS_BUILD_PIPELINE_STAGE_DELETE
devops-build-run	DEVOPS_BUILD_RUN_INSPECT DEVOPS_BUILD_RUN_READ DEVOPS_BUILD_RUN_UPDATE DEVOPS_BUILD_RUN_CREATE DEVOPS_BUILD_RUN_DELETE DEVOPS_BUILD_RUN_CANCEL
devops-connection	DEVOPS_CONNECTION_INSPECT DEVOPS_CONNECTION_READ DEVOPS_CONNECTION_UPDATE DEVOPS_CONNECTION_CREATE DEVOPS_CONNECTION_DELETE
devops-trigger	DEVOPS_TRIGGER_INSPECT DEVOPS_TRIGGER_READ DEVOPS_TRIGGER_UPDATE DEVOPS_TRIGGER_CREATE DEVOPS_TRIGGER_DELETE

Supported Variables

Variables are used when adding conditions to a policy.

DevOps supports the following variables:

Entity: Oracle Cloud Identifier (OCID)
String: Free-form text.
Number: Numeric value (arbitrary precision)
List: List of Entity, String, or Number
Boolean: True or False

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the DevOps service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).


Required Variables	Type	Description
`target.compartment.id`	Entity (OCID)	The OCID of the primary resource for the request.
`request.operation`	String	The operation ID (for example, `GetUser`) for the request.
`target.resource.kind`	String	The resource kind name of the primary resource for the request.


Automatic Variables	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.tenant.id`	Entity (OCID)	The OCID of the target tenant ID.

Here's a list of available sources for the variables:

Request: Comes from the request input.
Derived: Comes from the request.
Stored: Comes from the service, retained input.
Computed: Computed from service data.

Mapping Variables with Resource Types


Resource Type	Variable	Type	Source	Description
`devops-project` `devops-deploy-artifact` `devops-deploy-environment` `devops-deploy-pipeline` `devops-deploy-stage` `devops-deployment` `devops-repository` `devops-connection` `devops-trigger` `devops-build-pipeline` `devops-build-pipeline-stage` `devops-build-run`	`target.project.id`	Entry	Stored	Available for Get, Update, Delete, and Move operations on the Project resource.
`devops-project` `devops-deploy-artifact` `devops-deploy-environment` `devops-deploy-pipeline` `devops-deploy-stage` `devops-deployment` `devops-repository` `devops-connection` `devops-trigger` `devops-build-pipeline` `devops-build-pipeline-stage` `devops-build-run`	`target.project.name`	String	Stored	Available for Get, Update, Delete, and Move operations on the Project resource.
`devops-deploy-artifact`	`target.artifact.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Artifact resource.
`devops-deploy-environment`	`target.environment.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Environment resource.
`devops-deploy-pipeline` `devops-deploy-stage` `devops-deployment`	`target.pipeline.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Pipeline resource.
`devops-deploy-stage`	`target.stage.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Stage resource.
`devops-deployment`	`target.deployment.id`	Entity	Stored	Available for Get, Update, and Delete operations on Deployment resource types.
`devops-repository`	`target.repository.id`	Entity	Stored	Available for Get, Update, Delete, and Move operations on the Repository resource.
`devops-repository`	`target.repository.name`	Entity	Stored	Available for Get, Update, Delete, and Move operations on the Repository resource.
`devops-repository`	`target.branch.name`	Entity	Stored	Available for Git operations like upload-pack, receive-pack on the Repository branch.
`devops-repository`	`target.tag.name`	Entity	Stored	Available for Git operations like upload-pack, receive-pack on the Repository branch.
`devops-connection`	`target.connection.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Connection resource.
`devops-trigger`	`target.trigger.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Trigger resource.
`devops-build-pipeline` `devops-build-pipeline-stage` `devops-build-run`	`target.build-pipeline.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Build Pipeline resource.
`devops-build-pipeline-stage`	`target.build-pipeline-stage.id`	Entity	Stored	Available for Get, Update, and Delete operations on the Build Pipeline Stage resource.
`devops-build-run`	`target.build-run.id`	Entity	Stored	Available for Get, Update, Delete, and Cancel operations on the Build Run resource.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for DevOps resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

devops-project

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-project resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_PROJECT_INSPECT`	`ListProjects`	List all the project resources in a compartment.
`read`	`inspect+` `DEVOPS_PROJECT_READ`	`inspect+` `GetProject`	Get a specific project by ID.
`use`	`read+` `DEVOPS_PROJECT_UPDATE`	`read+` `UpdateProject`	Update a specific project.
`manage`	`use+` `DEVOPS_PROJECT_CREATE`	`use+` `CreateProject`	Create a project resource.
`manage`	`use+` `DEVOPS_PROJECT_DELETE`	`use+` `DeleteProject`	Delete a specific project.
`manage`	`use+` `DEVOPS_PROJECT_MOVE`	`use+` `ChangeProjectCompartment`	Move a project to a different compartment.

devops-deploy-artifact

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-artifact resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_DEPLOY_ARTIFACT_INSPECT`	`ListDeployArtifacts`	List all the artifacts in a project or compartment.
`read`	`inspect+` `DEVOPS_DEPLOY_ARTIFACT_READ`	`inspect+` `GetDeployArtifact`	Get a specific artifact by ID.
`use`	`read+` `DEVOPS_DEPLOY_ARTIFACT_UPDATE`	`read+` `UpdateDeployArtifact`	Update a specific artifact by ID.
`manage`	`use+` `DEVOPS_DEPLOY_ARTIFACT_CREATE`	`use+` `CreateDeployArtifact`	Create an artifact resource within a project.
`manage`	`use+` `DEVOPS_DEPLOY_ARTIFACT_DELETE`	`use+` `DeleteDeployArtifact`	Delete a specific artifact by ID.

devops-deploy-environment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-environment resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_DEPLOY_ENVIRONMENT_INSPECT`	`ListDeployEnvironments`	List all the environments in an application or compartment.
`read`	`inspect+` `DEVOPS_DEPLOY_ENVIRONMENT_READ`	`inspect+` `GetDeployEnvironment`	Get a specific environment by ID.
`use`	`read+` `DEVOPS_DEPLOY_ENVIRONMENT_UPDATE`	`read+` `UpdateDeployEnvironment`	Update a specific environment by ID.
`manage`	`use+` `DEVOPS_DEPLOY_ENVIRONMENT_CREATE`	`use+` `CreateDeployEnvironment`	Create an environment for a deployment target within an application.
`manage`	`use+` `DEVOPS_DEPLOY_ENVIRONMENT_DELETE`	`use+` `DeleteDeployEnvironment`	Delete a specific environment by ID.

devops-deploy-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-pipeline resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_DEPLOY_PIPELINE_INSPECT`	`ListDeployPipelines`	List all the pipeline resources in a compartment.
`read`	`inspect+` `DEVOPS_DEPLOY_PIPELINE_READ`	`inspect+` `GetDeployPipeline`	Get a specific pipeline by ID.
`use`	`read+` `DEVOPS_DEPLOY_PIPELINE_UPDATE`	`read+` `UpdateDeployPipeline`	Update a specific pipeline by ID.
`manage`	`use+` `DEVOPS_DEPLOY_PIPELINE_CREATE`	`use+` `CreateDeployPipeline`	Create a pipeline resource.
`manage`	`use+` `DEVOPS_DEPLOY_PIPELINE_DELETE`	`use+` `DeleteDeployPipeline`	Delete a specific pipeline.

devops-deploy-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deploy-stage resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_DEPLOY_STAGE_INSPECT`	`ListDeployStages`	List all the stages in a pipeline or compartment.
`read`	`inspect+` `DEVOPS_DEPLOY_STAGE_READ`	`inspect+` `GetDeployStage`	Get a specific stage by ID.
`use`	`read+` `DEVOPS_DEPLOY_STAGE_UPDATE`	`read+` `UpdateDeployStage`	Update a specific stage by ID.
`manage`	`use+` `DEVOPS_DEPLOY_STAGE_CREATE`	`use+` `CreateDeployStage`	Create a stage within a pipeline.
`manage`	`use+` `DEVOPS_DEPLOY_STAGE_DELETE`	`use+` `DeleteDeployStage`	Delete a specific stage by ID.

devops-deployment

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-deployment resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_DEPLOYMENT_INSPECT`	`ListDeployments`	List all the deployments in a compartment.
`read`	`inspect+` `DEVOPS_DEPLOYMENT_READ`	`inspect+` `GetDeployment`	Get a specific deployment by ID.
`use`	`read+` `DEVOPS_DEPLOYMENT_UPDATE`	`read+` `UpdateDeployStage`	Update a specific stage by ID.
`use`	`read+` `DEVOPS_DEPLOYMENT_APPROVE`	`read+` `ApproveDeployment`	Approve a specific deployment that's waiting for manual approval.
`use`	`read+` `DEVOPS_DEPLOYMENT_CANCEL`	`read+` `CancelDeployment`	Cancel a running deployment.
`manage`	`use+` `DEVOPS_DEPLOYMENT_CREATE`	`use+` `CreateDeployment`	Create a deployment for a specific pipeline.
`manage`	`use+` `DEVOPS_DEPLOYMENT_DELETE`	`use+` `DeleteDeployment`	Delete a specific deployment.

devops-work-requests

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-work-requests resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_WORK_REQUEST_INSPECT`	`ListWorkRequests`	List all the work requests in a compartment.
`read`	`inspect+` `DEVOPS_WORK_REQUEST_READ`	`inspect+` `GetWorkRequest`	Get a specific work request by ID.

devops-repository

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-repository resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_REPOSITORY_INSPECT`	`ListRepositories`	List all the repository resources by compartment ID, project ID, or repository ID.
`read`	`inspect+` `DEVOPS_REPOSITORY_READ`	`inspect+` `GetRepository`	Get a specific repository by ID.
`use`	`read+` `DEVOPS_REPOSITORY_UPDATE`	`read+` `UpdateRepository`	Update a specific repository by ID.
`manage`	`use+` `DEVOPS_REPOSITORY_CREATE`	`use+` `CreateRepository`	Create a repository.
`manage`	`use+` `DEVOPS_REPOSITORY_DELETE`	`use+` `DeleteRepository`	Delete a specific repository by ID.

devops-connection

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-connection resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_CONNECTION_INSPECT`	`ListConnections`	List all the connections in a project or compartment.
`read`	`inspect+` `DEVOPS_CONNECTION_READ`	`inspect+` `GetConnection`	Get a specific connection by ID.
`use`	`read+` `DEVOPS_CONNECTION_UPDATE`	`read+` `UpdateConnection`	Update a specific connection by ID.
`use`	`read+` `DEVOPS_CONNECTION_VALIDATE`	`read+` `ValidateConnection`	Validate the connection's PAT.
`manage`	`use+` `DEVOPS_CONNECTION_CREATE`	`use+` `CreateConnection`	Create a connection resource in a project.
`manage`	`use+` `DEVOPS_CONNECTION_DELETE`	`use+` `DeleteConnection`	Delete a specific connection by ID.

devops-trigger

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-trigger resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_TRIGGER_INSPECT`	`ListTriggers`	List all the triggers in a project or compartment.
`read`	`inspect+` `DEVOPS_TRIGGER_READ`	`inspect+` `GetTrigger`	Get a specific trigger by ID.
`use`	`read+` `DEVOPS_TRIGGER_UPDATE`	`read+` `UpdateTrigger`	Update a specific trigger by ID.
`manage`	`use+` `DEVOPS_TRIGGER_CREATE`	`use+` `CreateTrigger`	Create a trigger resource in a project.
`manage`	`use+` `DEVOPS_TRIGGER_DELETE`	`use+` `DeleteTrigger`	Delete a specific trigger by ID.

devops-build-pipeline

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_BUILD_PIPELINE_INSPECT`	`ListBuildPipelines`	List all the build pipeline resources in a compartment.
`read`	`inspect+` `DEVOPS_BUILD_PIPELINE_READ`	`inspect+` `GetBuildPipeline`	Get a specific build pipeline by ID.
`use`	`read+` `DEVOPS_BUILD_PIPELINE_UPDATE`	`read+` `UpdateBuildPipeline`	Update a specific build pipeline by ID.
`manage`	`use+` `DEVOPS_BUILD_PIPELINE_CREATE`	`use+` `CreateBuildPipeline`	Create a build pipeline resource.
`manage`	`use+` `DEVOPS_BUILD_PIPELINE_DELETE`	`use+` `DeleteBuildPipeline`	Delete a specific build pipeline.

devops-build-pipeline-stage

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-pipeline-stage resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_BUILD_PIPELINE_STAGE_INSPECT`	`ListBuildPipelineStages`	List all the stages in a build pipeline or compartment.
`read`	`inspect+` `DEVOPS_BUILD_PIPELINE_STAGE_READ`	`inspect+` `GetBuildPipelineStage`	Get a specific build pipeline stage by ID.
`use`	`read+` `DEVOPS_BUILD_PIPELINE_STAGE_UPDATE`	`read+` `UpdateBuildPipelineStage`	Update a specific build pipeline stage by ID.
`manage`	`use+` `DEVOPS_BUILD_PIPELINE_STAGE_CREATE`	`use+` `CreateBuildPipelineStage`	Create a stage in a build pipeline.
`manage`	`use+` `DEVOPS_BUILD_PIPELINE_STAGE_DELETE`	`use+` `DeleteBuildPipelineStage`	Delete specific build pipeline stage by ID.

devops-build-run

This table lists the permissions and the APIs that are fully covered by the permissions, for the devops-build-run resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`DEVOPS_BUILD_RUN_INSPECT`	`ListBuildRuns`	List the build runs in a project or compartment.
`read`	`inspect+` `DEVOPS_BUILD_RUN_READ`	`inspect+` `GetBuildRun`	Gets a specific build run by ID.
`use`	`read+` `DEVOPS_BUILD_RUN_UPDATE`	`read+` `UpdateBuildRun`	Update an existing build run.
`use`	`read+` `DEVOPS_BUILD_RUN_CANCEL`	`read+` `CancelBuildRun`	Cancel a running build run.
`manage`	`use+` `DEVOPS_BUILD_RUN_CREATE`	`use+` `CreateBuildRun`	Start a build run for a given build pipeline.
`manage`	`use+` `DEVOPS_BUILD_RUN_DELETE`	`use+` `DeleteBuildRun`	Delete an existing build run.

Creating a Policy and Dynamic Group

To grant users permission to access the various DevOps resources such as build pipelines, deployment pipelines, artifacts, and code repositories you have to create groups, dynamic groups and IAM policies.

A policy allows a group to work in certain ways with specific types of resources in a particular compartment .

Policy

Here's how you create a policy in the Oracle Cloud Console:

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
Click Create Policy.
Enter a name and description for the policy.
Under Policy Builder, click the Show manual editor switch to enable the editor.
Enter a policy rule in the following format:
```
Allow <group> to <verb> <resource_type> in <compartment or tenancy details>
```
Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

To create a group and add users to the group, see Managing Groups.

Dynamic Group

Dynamic group is a special type of group that contains resources (such as compute instances) that match rules that you define.

Matching rules define the resources that belong to the dynamic group. In the Console, you can either enter the rule manually in the provided text box, or you can use the rule builder. For more details, see Writing Matching Rules to Define Dynamic Groups. Use the match-any rule to match multiple conditions.

Create a dynamic group for your DevOps resources. You can name the dynamic group as, for example, DevOpsDynamicGroup and replace compartmentOCID with the OCID of your compartment:

ALL {resource.type = 'devopsdeploypipeline', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsrepository', resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsbuildpipeline',resource.compartment.id = 'compartmentOCID'}
ALL {resource.type = 'devopsconnection',resource.compartment.id = 'compartmentOCID'}

For more information about dynamic groups, including the permissions required to create them, see Managing Dynamic Groups and Writing Policies for Dynamic Groups.

Required policy statement for DevOpsDynamicGroup:

Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>

Note

For tenancies that have identity domains, the domain name must precede the dynamic group name in the policy. For example, domain-name/{DevOpsDynamicGroup}

Policy Examples

DevOps policies required for using various DevOps resources such as code repositories, build pipelines and deployment pipelines.

Following policy examples are provided:

Environment Policies

Policy example for creating target environment that is used for deployment.

See the instructions for creating policies using the Console.

Create policy to allow users in a group to create, update or delete a private OKE environment:

Allow group <group-name> to manage virtual-network-family in compartment <compartment_name> where any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint', request.operation='EnableReverseConnection', request.operation='ModifyReverseConnection', request.operation='DisableReverseConnection'}

Code Repository Policies

Policy examples for creating a code repository and connecting to external code repositories such as GitHub and GitLab.

See the instructions for creating policies, groups, and dynamic groups using the Console.

To create a code repository, create following IAM policies:

Allow users in a group to have access to the DevOps project:

Allow group <group-name> to read devops-project in compartment <compartment_name>

Allow users in a group to read, create, update, or delete a repository:

Allow group <group-name> to manage devops-repository in compartment <compartment_name>

To clone a repository, create following IAM policies:

Allow users in a group to have access to the DevOps project:

Allow group <group-name> to read devops-project in compartment <compartment_name>

Allow users in a group to read or update a repository:

Allow group <group-name> to use devops-repository in compartment <compartment_name>

To integrate with external code repositories, create a policy in the root compartment. For example, to allow the dynamic group to read secrets:

Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>

To validate an external connection, create the following IAM policy along with the policy to read secrets:

Allow group <group-name> to use devops-connection in compartment <compartment_name>

Build Pipeline Policies

Policy examples for creating build pipelines and adding stages to the pipeline.

See the instructions for creating policies using the Console.

Create IAM policies to allow the dynamic group to access OCI resources in the compartment:
- To deliver artifacts, provide access to the Container Registry (OCIR):
```
Allow dynamic-group DevOpsDynamicGroup to manage repos in compartment <compartment_name>
```
- To access vault for personal access token (PAT), provide access to secret-family. This policy is required in the Managed Build stage for accessing PAT to download the source code:
```
Allow dynamic-group DevOpsDynamicGroup to read secret-family in compartment <compartment_name>
```
- Provide access to read deployment artifacts in the Deliver Artifacts stage, read DevOps code repository in the Managed Build stage, and trigger deployment pipeline in the Trigger Deploy stage:
```
Allow dynamic-group DevOpsDynamicGroup to manage devops-family in compartment <compartment_name>
```
- To deliver artifacts, provide access to the Artifact Registry:
```
Allow dynamic-group DevOpsDynamicGroup to manage generic-artifacts in compartment <compartment_name>
```
- To send notifications, provide access to the build pipeline:
```
Allow dynamic-group DevOpsDynamicGroup to use ons-topics in compartment <compartment_name>
```

Create policies to allow private access setup in the Managed Build stage:

Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <customer subnet compartment>

Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <customer subnet compartment>

If any network security groups (NSGs) are specified in the private access configuration, then the policy must allow access to the NSGs:

Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <customer subnet compartment>

Create a policy to allow the build pipeline to access the Certificate Authority (CA) bundle resource for Transport Layer Security (TLS) verification:
```
Allow dynamic-group DevOpsDynamicGroup to use cabundles in compartment <compartment_name>
```

Policies for Accessing ADM Resources

Policy examples for accessing Application Dependency Management (ADM) service's resources from the build pipeline.

See the instructions for creating policies using the Console.

Create IAM policies to allow the dynamic group to access ADM resources in the tenancy:

Allow dynamic-group DevOpsDynamicGroup to use adm-knowledge-bases in tenancy

Allow dynamic-group DevOpsDynamicGroup to manage adm-vulnerability-audits in tenancy

Deployment Pipeline Policies

Policy examples for creating deployment pipelines and adding stages to the pipeline.

See the instructions for creating policies using the Console.

Create IAM policies to allow the deployment pipeline dynamic group to access your compartment resources:

OKE cluster deployments:

Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to manage cluster in compartment <compartment_name>

Functions:

Allow dynamic-group DevOpsDynamicGroup to manage fn-function in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to read fn-app in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use fn-invocation in compartment <compartment_name>

Instance Group deployments:

Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to read instance-family in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use instance-agent-command-family in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use load-balancers in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name>

For an instance group deployment, you also need to create a dynamic group for the following instances and give the dynamic group certain permissions:

Create a dynamic group for your instances. For example, you can name the dynamic group as, DeployComputeDynamicGroup and replace compartmentOCID with the OCID of your compartment:
```
All {instance.compartment.id = 'compartmentOCID'}
```

Create IAM policies to give required access to the deployment instances:

Allow dynamic-group DeployComputeDynamicGroup to use instance-agent-command-execution-family in compartment <compartment_name>
Allow dynamic-group DeployComputeDynamicGroup to read generic-artifacts in compartment <compartment_name>
Allow dynamic-group DeployComputeDynamicGroup to read secret-family in compartment <compartment_name>

Approval stage:

Allow group pipeline1_approvers to use devops-family in compartment <compartment_name>  where all {request.principal.id = 'ocid1.pipeline1'}
Allow group pipeline2_approvers to use devops-family in compartment <compartment_name>  where all {request.principal.id = 'ocid1.pipeline2'}

Shell stage:

Allow dynamic-group DevOpsDynamicGroup to manage compute-container-instances in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to manage compute-containers in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use vnics in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use subnets in compartment <compartment_name>
Allow dynamic-group DevOpsDynamicGroup to use dhcp-options in compartment <compartment_name>

If you're using Network security group while creating Shell stage, then add the following policy:

Allow dynamic-group DevOpsDynamicGroup to use network-security-groups in compartment <compartment_name>

Artifact Policies

Policy examples for adding the Deliver Artifacts stage to the build pipeline.

The Deliver Artifacts stage maps the build outputs from the Managed Build stage with the version to deliver to a DevOps artifact resource, and then to the Oracle Cloud Infrastructure (OCI) code repository. DevOps supports artifacts stored in OCI Container Registry and Artifact Registry repositories. See Adding a Deliver Artifacts Stage.

See the instructions for creating policies using the Console.

Create following IAM policies:

To see a list of all repositories in Container Registry belonging to the tenancy or to a particular compartment:

Allow dynamic-group DevOpsDynamicGroup to inspect repos in tenancy

Allow dynamic-group DevOpsDynamicGroup to inspect repos in compartment <compartment_name>

Allow artifacts to be pushed to the Container Registry (OCIR) that belongs to the tenancy or to a particular compartment:
```
Allow dynamic-group DevOpsDynamicGroup to use repos in tenancy
```
```
Allow dynamic-group DevOpsDynamicGroup to use repos in compartment <compartment_name>
```
See Policies to Control Repository Access.

Ability to see a list of generic artifacts in Artifact Registry belonging to the tenancy or to a particular compartment:

Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in tenancy

Allow dynamic-group DevOpsDynamicGroup to inspect generic-artifacts in compartment <compartment_name>

Allow generic artifacts to be pushed to the Artifact Registry that belongs to the tenancy or to a particular compartment:

Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in tenancy

Allow dynamic-group DevOpsDynamicGroup to use generic-artifacts in compartment <compartment_name>

See Artifact Registry Policies.

Allow users to pull generic artifacts that belongs to the tenancy or to a particular compartment:

Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in tenancy

Allow dynamic-group DevOpsDynamicGroup to read generic-artifacts in compartment <compartment_name>

Accessing Artifact Registry

Oracle Cloud Infrastructure Artifact Registry is a repository service for storing, sharing, and managing software development packages.

You can access the artifacts that you store in Artifact Registry from the DevOps service. You can create a reference to three types of artifacts in Artifact Registry: instance group deployment configurations, general artifacts, and Kubernetes manifests. Your administrator must grant the read all-artifacts permission to the pipeline resources.

See the instructions for creating policies using the console.

Create IAM policy to allow the dynamic group to access the artifacts from a specific compartment:

Allow dynamic-group DevOpsDynamicGroup to read all-artifacts in compartment <compartment_name>

For more information, see Artifact Registry Policies.

Oracle Cloud Infrastructure Documentation

DevOps IAM Policies

Resource Types and Permissions

Supported Variables

Mapping Variables with Resource Types

Details for Verb + Resource Type Combinations

Creating a Policy and Dynamic Group

Policy

Dynamic Group

Policy Examples

Environment Policies

Code Repository Policies

Build Pipeline Policies

Policies for Accessing ADM Resources

Deployment Pipeline Policies

Artifact Policies

Accessing Artifact Registry