2

Identity and Access Management

Service
March 2019, v1
jayakrishnan.lakshmanan@oracle.com

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Identity and Access Management Service
• Identity and Access Management Service (IAM) enables you to control who can do what in
your OCI account
• Control who can access your OCI account
• What services and resources they can use
• How they can use these services and resources
• Resource is a cloud object that you create and use in OCI (e.g. compute instances, block
storage volumes, Virtual Cloud Networks)
• IAM uses traditional identity concepts such as Principals, Users, Groups, Policies
• OCI IAM introduces a new feature called Compartments

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-2
Principals
• A principal is an IAM entity that is allowed to interact with OCI resources
• Principals – IAM Users/Groups and Instance Principals
• IAM Users/Groups
• Users are persistent identities setup through IAM service to represent individual people or applications
• When customers sign-up for an OCI account, the first IAM user is the default administrator
• Default administrator sets up other IAM users and groups
• Users enforce security principle of least privilege
o User has no permissions until placed in one (or more) groups and
o Group having at least one policy with permission to tenancy or a compartment

• Group is a collection of users who all need the same type of access to a particular set of resources
• Same user can be member of multiple groups
• Instance Principals
• Instance Principals lets instances (and applications) to make API calls against other OCI services
removing the need to configure user credentials or a configuration file

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-3
Authentication
IAM service authenticates a Principal by –
• User name & Password
• You use the password to sign in to the web console
• An administrator will provide you with a one-time password when setting up your account
• At your first log in, you are prompted to reset the password

• API Signing Key

• Required when using the OCI API in conjunction with the
SDK/CLI
• Key is an RSA key pair in the PEM format (min 2048 bits)
• You can upload the Public key to OCI user accounts via
console
• Auth Tokens
• Oracle-generated token strings to authenticate with 3rd
party APIs that do no support OCI signature-based
authentication (e.g. ADW)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-4
Authorization
• Authorization specifies various actions an authenticated Principal can perform
• OCI Authorization - define specific privileges in policies and associating them with principals
• Supports security principle of least privilege; by default, users are not allowed to perform any actions
(policies cannot be attached to users, but only groups)
• Policies are comprised of one or more statements which specify what groups can access what resources
and at what level of access
• Policies are written in human-readable format:
• Allow group <group_name> to <verb> <resource-type> in tenancy
• Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where
<conditions>]

• Policy Attachment: Policies can be attached to a compartment or the tenancy. Where you attach it controls
who can then modify it or delete it.

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-5
 Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Verb Type of access Resource-type

Individual resource type
Family
inspect Ability to list resources
all-resources
Includes inspect + ability to get database-family db-systems, db-nodes, db-homes, databases
read user-specified metadata/actual
resource instances, instance-images, volume-attachments,
instance-family
console-histories
Includes read + ability to work
use with existing resources (the object-family buckets, objects
actions vary by resource type)* virtual-network- vcn, subnet, route-tables, security-lists, dhcp-
family options, and many more resources.
Includes all permissions for the
manage
resource volume-family Volumes, volume-attachments, volume-backups

* In general, this verb does not include the ability The IAM Service has no family resource-type, only individual ones; Audit and Load
to create or delete that type of resource Balancer have individual resources (load-balancer, audit-events)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-6
 Verb Permissions API Operation
Verbs & Permissions
ListVolumes
• Permissions are the atomic units of authorization
inspect
that control a user's ability to perform operations VOLUME_INSPECT

on resources GetVolume
read VOLUME_INSPECT

• When you write a policy giving a group access to

a particular verb and resource-type, you're
actually giving that group access to one or more read + …..
predefined permissions
Volume-family use VOLUME_UPDATE

• As you go from inspect > read > use > manage,

the level of access generally increases, and the
VOLUME_WRITE
permissions granted are cumulative

• Each API operation requires the caller to have use +

…..
access to one or more permissions. E.g., to use
either ListVolumes or GetVolume, you must have manage VOLUME_CREATE CreateVolume
access to a single permission:
VOLUME_INSPECT
VOLUME_DELETE DeleteVolume

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-7
Common Policies
1. Network Admins manage a cloud network
• Allow group NetworkAdmins to manage virtual-network-family in tenancy

2. Object writers write to Object Storage

• Allow group ObjectWriters to manage objects in compartment ABC where any
{request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}

3. Block Storage and Object Storage encrypt and decrypt volumes and buckets
• Allow service blockstorage, objectstorage-<region_name> to use keys in compartment ABC

Refer: https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/commonpolicies.htm

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-8
Compartment
• A compartment is a collection of related resources (VCN, instances,..) that can be accessed only by
groups that have been given permission (by an administrator in your organization)
• Compartments help you organize and control access to your resources
• Design considerations:
• Each resource belongs to a single compartment but resources can be connected/shared across
compartments (VCN and its subnets can live in different compartments)
• A compartment can be deleted after creation or renamed
• A compartment can have sub compartments that can be up to six levels deep
• A resource can't be reassigned to a different compartment after creation (exception: Buckets)
• After creating a compartment, you need to write at least one policy for it, otherwise it cannot be
accessed (except by administrators or users who have permission to the tenancy)
• Sub compartment inherits access permissions from compartments higher up its hierarchy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-9
When you sign up for OCI
Service Limits

Tenancy
Root Compartment
Policy Allow group Administrators to manage all-resources
in tenancy
Default Administrator Groups
xx.yy@companyABC.com Administrators

• Oracle sets up a default administrator for the account

• Default Group Administrators
• Cannot be deleted and there must always be at least one user in it
• Any other users placed in the Administrators group will have full access to all of resources
• Tenancy Policy gives Administrators group access to all resources – this policy can’t be deleted/changed

• Root Compartment can hold all the cloud resources

• Best practice is to create dedicated Compartments when you need to isolate resources

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 10

Instance Principals
Instance Principals lets instances (and applications) to make API calls against other OCI
services removing the need to configure user credentials or a configuration file

Current problem
• Storing API credentials on each instance
• Credential rotation
• Audits at instance level are impossible since credentials are same across hosts

How does Instance principals solve the problem?

• Instance Principals gives instances their own identity, instances become a new type of Principal (in
addition to OCI IAM users/groups)
• Dynamic groups allows policy to be defined on instances
• In the Audit, you will see the instance Id making the API call

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 11

Instance Principals
• Authentication is at instance level
• Customers don’t do any credential management
• Authorization is done via Dynamic Groups
• Dynamic groups allow you to group OCI instances as principal actors, similar to user groups. Policy is set
at Dynamic Group level.
• Membership in the group is determined by a set of criteria called matching rules. Resources that match
the rule criteria are members of the dynamic group
• Services that support Instance Principals - Compute, Block Volume, Networking, Load Balancing, Object
Storage

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 12

Step1: create a Dynamic Group that matches a set of instances

Possible to exclude specific instances

from a Dynamic Group
All {instance.compartment.id =
'<compartment_ocid>', instance.id !=
'<instance1_to_exclude_ocid>', instance.id !=
'<instance2_to_exclude_ocid>'}

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 13

Step2: create a Policy with permissions for instances

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 14

Step3: customer deploys code to an instance
OCI SDK/CLI is able to make calls to OCI APIs without customer configured credentials
[opc@webserver1 .oci]$ cat config
[DEFAULT]
user=ocid1.user.oc1..aaaaaaaag3635pdkcXXXXXXXXXXXxqzeqiry2wzawa4zqk2xkx4z7q
fingerprint=93:4f:c0:c3:26:XX:XX:XX:XX:17:60:78:23:e1:1c:90
# key_file=/home/opc/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpXXXXXXXX2hc2sbj4ph3ocxtfxhhva2hna
region=us-ashburn-1

[opc@webserver1 .oci]$ oci os ns get

ERROR: The config file at ~/.oci/config is invalid:

+Config Errors-------+--------------------------------------------------------+
| Key | Error | Hint |
+----------+---------+--------------------------------------------------------+
| key_file | missing | the full path and filename of the private PEM key file |
+----------+---------+--------------------------------------------------------+
[opc@webserver1 .oci]$

[opc@webserver1 .oci]$ oci os ns get --auth instance_principal

{
"data": ”testbucket"
}

Java and Python SDKs and Terraform also support Instance Principal authorization

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 15

Federation
• OCI provides federation with Oracle IDCS, Microsoft Active Directory and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol

• First, a federation trust is setup between the

Identity Provider (IdP) and OCI
• Any person in your company who goes to
OCI Console is prompted with a SSO experience
provided by the IdP
• The user signs in with the login/password that
they've already set up with the IdP and use
elsewhere
• The IdP authenticates the user, and then that
user can access OCI resources

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 16

Working with PaaS/PSM based Services on OCI

Lot of PSM based services are being on-boarded to OCI.

Customers need to follow the prerequisites mentioned in the following documentation so that the PSM
Service has access to OCI Tenancy.

https://docs.cloud.oracle.com/iaas/Content/General/Reference/PaaSprereqs.htm

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 17

Summary
• Identity and Access Management Service (IAM) enables you to control who can do what in
your OCI account
• IAM service Principals – Users/Groups, Instance Principals
• Authentication done through username/password and API Signing Keys
• Authorization done by defining specific privileges in Policies and associating them with
Principals
• Policies are comprised of one or more human-readable statements which specify what groups
can access what resources and what level of access users in that group have
• Compartment, a unique OCI feature, can be used to organize and isolate related cloud
resources

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 18

Questions/Feedback?

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 19