Resource Principals
DB systems can use resource principals to authenticate and access other Oracle Cloud Infrastructure resources. To use resource principals, you or your tenancy administrator must define the Oracle Cloud Infrastructure policies and dynamic groups that allows principals to access Oracle Cloud Infrastructure resources.
Resource principal is used in the following HeatWave Service features:
- Bring your own certificate: Allows DB systems to read the certificates defined in Oracle Cloud Infrastructure Certificates Service.
- HeatWave Lakehouse: Allows DB systems to read data from Object Storage.
Resource principals have two components:
Dynamic Groups
Dynamic groups allow you to group HeatWave Service DB systems as principal actors, similar to user groups.
You can then create policies to permit DB systems in the dynamic groups to make API calls against Oracle Cloud Infrastructure services, such as Certificates or Object Storage. Membership in the group is determined by a set of criteria you define, called matching rules.
"ALL{resource.type='mysqldbsystem', resource.compartment.id = 'ocid1.compartment.oc1..alphanumericString'}"
For more information, see Writing Matching Rules to Define Dynamic Groups.
Dynamic groups require a name, description, and matching rule. See Creating a Dynamic Group.
Policies
Policies define what your groups or dynamic groups can and cannot do.
Defining a Policy for Bring Your Own Certificate
For DB systems to access certificates from the Certificates Service, you must define a policy which allows the dynamic group to read the certificates.
Allow dynamic-group MYSQL_DG to read leaf-certificate-family in compartment C8
Defining a Policy for HeatWave Lakehouse
For HeatWave Lakehouse to access Object Storage, you must define a policy which allows the dynamic group to access to buckets and their contents.
Allow dynamic-group MYSQL_DG to read buckets in compartment C8
Allow dynamic-group MYSQL_DG to read objects in compartment C8
Defining a Policy for Accessing OCI Generative AI Service
For HeatWave GenAI to use any pretrained foundational models available in OCI Generative AI, you must define a policy which allows the dynamic group to accesss OCI Generative AI service.
Allow dynamic-group MYSQL_DG to use generative-ai-chat in compartment C8
Allow dynamic-group MYSQL_DG to use generative-ai-text-embedding in compartment C8
The usage of OCI Generative AI will be metered and billed on the selected compartment.