Container Instances IAM Policies

This topic covers details for writing policies to control access to Oracle Cloud Infrastructure Container Instances.

For information about IAM, see Overview of IAM.

Resource-Types

Individual Resource-Types

compute-container-instances

compute-containers

Aggregate Resource-Type

compute-container-family

Comments

A policy that uses <verb> compute-container-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the vcns resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes several extra permissions and API operations.

For compute-container-family Resource Types

The following tables list the permissions and API operations covered by each of the individual resource-types included in compute-container-family.

compute-container-instances
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

COMPUTE_CONTAINER_INSTANCE_INSPECT

ListContainerInstanceShapes

ListContainerInstances

ListWorkRequests

ListWorkRequestErrors

ListWorkRequestLogs

none

read

INSPECT +

COMPUTE_CONTAINER_INSTANCE_READ

GetWorkRequest

GetContainerInstance (also need inspect compute-container)

use

READ +

COMPUTE_CONTAINER_INSTANCE_UPDATE

COMPUTE_CONTAINER_INSTANCE_START

COMPUTE_CONTAINER_INSTANCE_STOP

COMPUTE_CONTAINER_INSTANCE_RESTART

UpdateContainerInstance

StartContainerInstance

StopContainerInstance

RestartContainerInstance

no extra

manage

USE +

COMPUTE_CONTAINER_INSTANCE_CREATE

COMPUTE_CONTAINER_INSTANCE_DELETE

COMPUTE_CONTAINER_INSTANCE_MOVE

ChangeContainerInstanceCompartment

CreateContainerInstance (also need use vnics, use subnets, and manage compute-container)

DeleteContainerInstance (also need use vnics, use subnets, and manage compute-container)

compute-container
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

COMPUTE_CONTAINER_INSPECT

ListContainers

GetContainerInstance (also need read compute-container-instances)

read

INSPECT +

COMPUTE_CONTAINER_READ

GetContainer

no extra

use

READ +

COMPUTE_CONTAINER_UPDATE

COMPUTE_CONTAINER_LOG_RETRIEVE

UpdateContainer

RetrieveLogs

no extra

manage

USE +

COMPUTE_CONTAINER_CREATE

COMPUTE_CONTAINER_DELETE

no extra

CreateContainerInstance (also need use vnics, use subnets, and manage compute-container-instances )

DeleteContainerInstance (also need use vnics, use subnets, and manage compute-container-instances)

Permissions Required for Each API Operation

The following table lists the API operations grouped by resource type. The resource types are listed in alphabetical order.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
GetContainer COMPUTE_CONTAINER_READ
ListContainers COMPUTE_CONTAINER_INSPECT
RetrieveLogs COMPUTE_CONTAINER_LOG_RETRIEVE
UpdateContainer COMPUTE_CONTAINER_UPDATE
CreateContainerInstance COMPUTE_CONTAINER_INSTANCE_CREATE and VNIC_CREATE and SUBNET_USE and COMPUTE_CONTAINER_CREATE
GetContainerInstance COMPUTE_CONTAINER_INSTANCE_READ and COMPUTE_CONTAINER_INSPECT
ListContainerInstances COMPUTE_CONTAINER_INSTANCE_INSPECT
ListContainerInstanceShapes COMPUTE_CONTAINER_INSTANCE_INSPECT
UpdateContainerInstance COMPUTE_CONTAINER_INSTANCE_UPDATE
StartContainerInstance COMPUTE_CONTAINER_INSTANCE_START
StopContainerInstance COMPUTE_CONTAINER_INSTANCE_STOP
RestartContainerInstance COMPUTE_CONTAINER_INSTANCE_RESTART
ChangeContainerInstanceCompartment COMPUTE_CONTAINER_INSTANCE_MOVE
DeleteContainerInstance COMPUTE_CONTAINER_INSTANCE_DELETE and VNIC_DELETE and SUBNET_USE and COMPUTE_CONTAINER_DELETE
GetWorkRequest COMPUTE_CONTAINER_INSTANCE_READ
ListWorkRequestLogs COMPUTE_CONTAINER_INSTANCE_INSPECT
ListWorkRequestErrors COMPUTE_CONTAINER_INSTANCE_INSPECT
ListWorkRequests COMPUTE_CONTAINER_INSTANCE_INSPECT

Policy Examples

Use the following example to construct policies for your tenancy.

Let users create container instances

Type of access: Ability to do everything with container instances launched into the cloud network and subnets in compartment XYZ.

Where to create the policy: The easiest approach is to put this policy in the tenancy. If you want the admins of the individual compartments (ABC and XYZ) to have control over the individual policy statements for their compartments, see Policy Attachment.

Allow group ContainerInstanceLaunchers to manage compute-container-family in compartment ABC
Allow group ContainerInstanceLaunchers to use virtual-network-family in compartment XYZ
Allow group ContainerInstanceLaunchers to read repos in tenancy

To allow users to create new cloud networks and subnets, see Let network admins manage a cloud network.

Let Container Instances pull images from Container Registry

Type of access: Allows the Container Instances service the ability to read images from Container Registry private repositories.

Where to create the policy: The easiest approach is to put this policy in the tenancy.

  1. Create a dynamic group with Container Instances as the resource type. Add a rule with the following syntax:
    ALL {resource.type='computecontainerinstance'}
  2. Write the following policy to grant access for the dynamic group:

    Allow dynamic-group ContainerInstanceDynamicGroup to read repos in tenancy

Selecting the container image using the Console

Type of access: When you create your container instance in the Console, you can select the container image. To generate the correct address of the container image, you need to add this policy to read object storage namespaces.

Where to create the policy: The easiest approach is to put this policy in the tenancy.

Allow group ContainerInstanceLaunchers to read objectstorage-namespaces in tenancy