Container Instances IAM Policies

This topic covers details for writing policies to control access to Oracle Cloud Infrastructure Container Instances.

Resource-Types

Individual Resource-Types

compute-container-instances

compute-containers

Aggregate Resource-Type

compute-container-family

Comments

A policy that uses <verb> compute-container-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

Supported Variables

Container Instances IAM policies support all the general policy variables. See General Variables for All Requests.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the vcns resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes several extra permissions and API operations.

For compute-container-family Resource Types

The following tables list the permissions and API operations covered by each of the individual resource-types included in compute-container-family.

compute-container-instances


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	COMPUTE_CONTAINER_INSTANCE_INSPECT	ListContainerInstanceShapes ListContainerInstances ListWorkRequests ListWorkRequestErrors ListWorkRequestLogs	none
read	INSPECT + COMPUTE_CONTAINER_INSTANCE_READ	GetWorkRequest	GetContainerInstance (also need `inspect compute-container`)
use	READ + COMPUTE_CONTAINER_INSTANCE_UPDATE COMPUTE_CONTAINER_INSTANCE_START COMPUTE_CONTAINER_INSTANCE_STOP COMPUTE_CONTAINER_INSTANCE_RESTART	UpdateContainerInstance StartContainerInstance StopContainerInstance RestartContainerInstance	no extra
manage	USE + COMPUTE_CONTAINER_INSTANCE_CREATE COMPUTE_CONTAINER_INSTANCE_DELETE COMPUTE_CONTAINER_INSTANCE_MOVE	ChangeContainerInstanceCompartment	CreateContainerInstance (also need `use vnics`, `use subnets`, and `manage compute-container`) DeleteContainerInstance (also need `use vnics`, `use subnets`, and `manage compute-container`)

compute-container


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	COMPUTE_CONTAINER_INSPECT	ListContainers	GetContainerInstance (also need `read compute-container-instances`)
read	INSPECT + COMPUTE_CONTAINER_READ	GetContainer	no extra
use	READ + COMPUTE_CONTAINER_UPDATE COMPUTE_CONTAINER_LOG_RETRIEVE	UpdateContainer RetrieveLogs	no extra
manage	USE + COMPUTE_CONTAINER_CREATE COMPUTE_CONTAINER_DELETE	no extra	CreateContainerInstance (also need `use vnics`, `use subnets`, and `manage compute-container-instances` ) DeleteContainerInstance (also need `use vnics`, `use subnets`, and `manage compute-container-instances`)

Permissions Required for Each API Operation

The following table lists the API operations grouped by resource type. The resource types are listed in alphabetical order.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
GetContainer	COMPUTE_CONTAINER_READ
ListContainers	COMPUTE_CONTAINER_INSPECT
RetrieveLogs	COMPUTE_CONTAINER_LOG_RETRIEVE
UpdateContainer	COMPUTE_CONTAINER_UPDATE
CreateContainerInstance	COMPUTE_CONTAINER_INSTANCE_CREATE and VNIC_CREATE and SUBNET_USE and COMPUTE_CONTAINER_CREATE
GetContainerInstance	COMPUTE_CONTAINER_INSTANCE_READ and COMPUTE_CONTAINER_INSPECT
ListContainerInstances	COMPUTE_CONTAINER_INSTANCE_INSPECT
ListContainerInstanceShapes	COMPUTE_CONTAINER_INSTANCE_INSPECT
UpdateContainerInstance	COMPUTE_CONTAINER_INSTANCE_UPDATE
StartContainerInstance	COMPUTE_CONTAINER_INSTANCE_START
StopContainerInstance	COMPUTE_CONTAINER_INSTANCE_STOP
RestartContainerInstance	COMPUTE_CONTAINER_INSTANCE_RESTART
ChangeContainerInstanceCompartment	COMPUTE_CONTAINER_INSTANCE_MOVE
DeleteContainerInstance	COMPUTE_CONTAINER_INSTANCE_DELETE and VNIC_DELETE and SUBNET_USE and COMPUTE_CONTAINER_DELETE
GetWorkRequest	COMPUTE_CONTAINER_INSTANCE_READ
ListWorkRequestLogs	COMPUTE_CONTAINER_INSTANCE_INSPECT
ListWorkRequestErrors	COMPUTE_CONTAINER_INSTANCE_INSPECT
ListWorkRequests	COMPUTE_CONTAINER_INSTANCE_INSPECT

Policy Examples

Use the following example to construct policies for your tenancy.

Let users create container instances

Type of access: Ability to do everything with container instances launched into the cloud network and subnets in compartment XYZ.

Where to create the policy: The easiest approach is to put this policy in the tenancy. If you want the admins of the individual compartments (ABC and XYZ) to have control over the individual policy statements for their compartments, see Policy Attachment.

Allow group ContainerInstanceLaunchers to manage compute-container-family in compartment ABC
Allow group ContainerInstanceLaunchers to use virtual-network-family in compartment XYZ
Allow group ContainerInstanceLaunchers to read repos in tenancy

To allow users to create new cloud networks and subnets, see Let network admins manage a cloud network.

Let Container Instances pull images from Container Registry

Type of access: Allows the Container Instances service the ability to read images from Container Registry private repositories.

Where to create the policy: The easiest approach is to put this policy in the tenancy.

Create a dynamic group with Container Instances as the resource type. Add a rule with the following syntax:
```
ALL {resource.type='computecontainerinstance'}
```

Write the following policy to grant access for the dynamic group:

Allow dynamic-group ContainerInstanceDynamicGroup to read repos in tenancy

Oracle Cloud Infrastructure Documentation