Perform Prerequisites for Deploying Management Agents on Compute Instances
Set Up Oracle Cloud Infrastructure for Management Agents on Compute Instances
Before you can deploy Management Agents on Oracle Cloud Infrastructure compute instances using Oracle Cloud Agent, you must ensure that your Oracle Cloud Infrastructure environment is setup correctly.
This section explains the steps relevant to setting up and working with Management Agent using Oracle Cloud Agent and the Compute service from Oracle Cloud Infrastructure.
Starting March 29, 2022, dynamic group policies, related to Management Agent, are not required to be added manually since OCI Management Agent cloud service will automatically enforce the authorization and permissions in the backend.
For more information about dynamic group policies requirement for other Observability & Management OCI services, refer to the specific OCI service documentation.
For more information about Oracle Cloud Infrastructure, see Oracle Cloud Infrastructure.
If you are new to policies, see Getting Started with Policies and Common Policies.
Step 1: Create policy to allow user to enable or disable the Management Agent when using Oracle Cloud Agent
Create a policy to give permissions to a user to enable or disable the Management Agent from within the OCI Compute service. Enabling or disabling the Management Agent can be performed using the user interface/OCI Console or the Compute API.
Table 8-1 Create policy to allow user to enable or disable the Management Agent when using Oracle Cloud Agent
Policy Statement | Description |
---|---|
|
It allows the Management Agent user group to
manage plugins in Oracle Cloud Agent (OCA) in the compartment
specified. Use TO MANAGE instance-family to
allow users to enable or disable Management Agent when using OCA
user interface or API. The compartment name needs to match the
name of the OCI compute instance's compartment.
|
|
It allows the Management Agent user group to get a listing of plugins. The compartment name needs to match the name of the OCI compute instance's compartment. |
For example: If you have defined a user group called
ManagementAgentAdmins
, the policy statement would be like the
following:
ALLOW GROUP ManagementAgentAdmins TO MANAGE instance-family IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ instance-agent-plugins IN COMPARTMENT mgmtagent
Where the users in the ManagementAgentAdmins
user group will be
allowed to use their user principals in OCI API calls or when logged in through the
OCI Console to enable or disable the Management Agent running as an Oracle Cloud
Agent plugin.
For more information about policies when managing plugins with OCI Compute service, see Managing Plugins with Oracle Cloud Agent.
Step 2: Create a user group for managing Management Agents
The management agent is defined as a resource in Oracle Cloud Infrastructure.
Create a policy that allows users to manage the Management Agent resource from the OCI Console and API.
Resource Type | Description |
---|---|
management-agents | Management Agent resource |
Oracle recommends to create policies that apply to a specific group as opposed to individual users for better user management. Any user that belongs to a specific group automatically inherits the policies and permissions of that specific group.
In this step you create a user group using the Identity and Access Management service from the OCI Console.
-
To access the Identity and Access Management service, open the navigation menu. Under Identity & Security, go to Identity.
-
Click Groups.
-
Click Create Group.
-
In the Create Group dialog box, enter a name for the group and a description, and then click Create.
For example, you create a group named
ManagementAgentAdmins
.
Step 3: Create policies for user group
Policies allow the user group to manage the Management Agent resource:
management-agents
.
Table 8-2 Create Policies
Policy Statement | Description |
---|---|
ALLOW GROUP <group_name> TO MANAGE management-agents IN COMPARTMENT <compartment_name> |
It allows any user that belongs to the user group to manage the management-agents resource in the specific compartment.
|
ALLOW GROUP <group_name> TO READ METRICS IN COMPARTMENT <compartment_name> |
It allows any user that belongs to the user group to see metrics uploaded by management agent. |
ALLOW GROUP <group-name> TO READ USERS IN TENANCY |
Optional policy statement. It allows any user that belongs to the user group to read user names in tenancy and display user names as opposed to user ids in the Downloads and Keys page from the user interface. |
ManagementAgentAdmins
user group to allow it to perform all
functions in mgmtagent
compartment.ALLOW GROUP ManagementAgentAdmins TO MANAGE management-agents IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ METRICS IN COMPARTMENT mgmtagent
ALLOW GROUP ManagementAgentAdmins TO READ USERS IN TENANCY
When working with policy statements, remember to chain-name compartments if needed.
For example, if your mgmtagent
compartment belongs to the
business_unit_1
compartment, the correct compartment name to
use in the statement will be business_unit_1:mgmtagent
.