Oracle Cloud Infrastructure Documentation

Create Identity and Access Management (IAM) Groups and Policies for IAM Users

Describes the steps to write policy statements for an IAM group to enable IAM user access to Oracle Cloud Infrastructure resources, specifically Autonomous Database instances.

A policy is a group of statements that specifies who can access particular resources, and how. Access can be granted for the entire tenancy, databases in a compartment, or individual databases. This means you write a policy statement that gives a specific group a specific type of access to a specific type of resource within a specific compartment.

Note

Defining a policy is required to use IAM tokens to access Autonomous Database. A policy is not required when using IAM database passwords to access Autonomous Database.

To enable Autonomous Database to allow IAM users to connect to the database using IAM tokens:

  1. Perform Oracle Cloud Infrastructure Identity and Access Management prerequisites by creating a group and adding users to the group.

    For example, create the group sales_dbusers.

    See Managing Groups for more information.

  2. Write policy statements to enable access to Oracle Cloud Infrastructure resources.
    1. In the Oracle Cloud Infrastructure console click Identity & Security.
    2. Under Identity & Security click Policies.
    3. To a write policy, click Create Policy.
    4. On the Create Policy page, enter a Name and a Description.
    5. On the Create Policy page, select Show manual editor.
      Description of adb_iam_create_policy_manual.png follows
    6. Use the Policy Builder to create a policy.

      For example to create a policy to allow users in IAM group DBUsers to access any Autonomous Database in their tenancy: 

      Allow group DBUsers to use autonomous-database-family in tenancy
      For example to create a policy that limits members of DBUsers group to access Autonomous Databases in compartment testing_compartment only:
      allow group DBUsers to use autonomous-database-family in compartment testing_compartment
      For example to create a policy that limits group access to a single database in a compartment:
      allow group DBUsers to use autonomous-database-family in compartment testing_compartment 
               where target.id = 'ocid1.autonomousdatabase.oc1.iad.aaaabbbbcccc...b5678ca'

      Refer to Creating an IAM Policy to Authorize Users Authenticating with Tokens in Database Security Guide for more information on IAM policies to access the database.

    7. Click Create.

      See Managing Policies for more information on policies.

Notes for creating policies for use with IAM users on Autonomous Database:

  • Policies can allow IAM users to access Autonomous Database instances across the entire tenancy, in a compartment, or can limit access to a single Autonomous Database instance.

  • You can use either instance principal or resource principal to retrieve database tokens to establish a connection from your application to an Autonomous Database instance. If you are using an instance principal or resource principal, you must map a dynamic group. Thus, you cannot exclusively map instance and resource principals; you only can map them through a shared mapping and putting the instance or resource instance in an IAM dynamic group.

    You can create Dynamic Groups and reference dynamic groups in the policies you create to access Oracle Cloud Infrastructure. See Configure Policies and Roles to Access Resources and Managing Dynamic Groups for details.