IAM 101 - Identity and Access Management

PreviousOCI 101 NextOCI Virtual Cloud Networks

Last updated 3 years ago

Was this helpful?

IAM 101 - Identity and Access Management

IAM 101

IAM controls what type of access a user has and to which resources
Resource = a cloud object (compute, blockstorage, vcn). Each resource has a unique OCID (Oracle Cloud ID)
Principal = an IAM entity that is allowed to interact with OCI resources. It can be an IAM user or an Instance Principal.
- IAM users = persistent identities that represent people or applications. The 1st IAM user is the default administrator. Users enforce security principles of least privileges:
  - User has no permission until placed in one or more groups
  - Groups have at least 1 policy with permission to tenancy and compartment
- Instance principals = let instances and apps make API calls to OCI services without the need to configure user credentials as config file

Authentication mechanisms

user/password
API Signing Key (PEM format, min 2048 bits)
Authentication tokens = for authentication with 3rd party APIs that do not support OCI signature-based authentication

Terraform Links:

Authorization

Policies can't be attached to users, only to groups
Policies are in human readable format:
- Allow group GROUP_NAME to VERB RESOURCE_TYPE in tenancy
- Allow group GROUP_NAME to VERB RESOURCE_TYPE in compartment COMPARTMENT [where CONDITIONS]
  - VERB:
    Inspect = list resources
    Read = ^ + get resource meta-data
    Use = ^ + work with resource (depending on the resource type) (can't create/delete)
    Manage = all permissions
  - All-resources
    Database-family
    Instance-family
    Object-family
    Virtual-network-family
    Volume-family

Terraform Links:

Compartments

Compartment = a logical collection of resources
Subcompartments = up to 6 levels. A subcompartment inherits higher level policies
Some resource can't be assigned to a different compartment after creation.
Root comportment exists by default and resources could get assigned to it if nothing else is selected

Federation

Supported methods:

Oracle IDCS
Microsoft AD
Any SAML2.0 protocol compatible service

Federation setup

A federation trust is established between Identity Providers (IdP) and OCI
A user accessing the OCI console will be presented with SSO
IdP authenticates users and then users can access the OCI resources

Tagging

There are 2 types of tags:

Free form tags {Key:value}
Defined tags
- Namespace key - can't be deleted, but retired.

Resource Locations

Global
- IAM
- Key Vaults, Keys
- DNS
Availability Domain
- Subnet
- Compute instances
- Block Volume
- DB Systems
- File System ( & Mount Target)
- Ephemeral Public IPs
Regional
- Everything else

PreviousOCI 101 NextOCI Virtual Cloud Networks

Last updated 3 years ago

Was this helpful?

IAM 101

IAM controls what type of access a user has and to which resources
Resource = a cloud object (compute, blockstorage, vcn). Each resource has a unique OCID (Oracle Cloud ID)
Principal = an IAM entity that is allowed to interact with OCI resources. It can be an IAM user or an Instance Principal.
- IAM users = persistent identities that represent people or applications. The 1st IAM user is the default administrator. Users enforce security principles of least privileges:
  - User has no permission until placed in one or more groups
  - Groups have at least 1 policy with permission to tenancy and compartment
- Instance principals = let instances and apps make API calls to OCI services without the need to configure user credentials as config file

Authentication mechanisms

user/password
API Signing Key (PEM format, min 2048 bits)
Authentication tokens = for authentication with 3rd party APIs that do not support OCI signature-based authentication

Terraform Links:

Authorization

Policies can't be attached to users, only to groups
Policies are in human readable format:
- Allow group GROUP_NAME to VERB RESOURCE_TYPE in tenancy
- Allow group GROUP_NAME to VERB RESOURCE_TYPE in compartment COMPARTMENT [where CONDITIONS]
  - VERB:
    Inspect = list resources
    Read = ^ + get resource meta-data
    Use = ^ + work with resource (depending on the resource type) (can't create/delete)
    Manage = all permissions
  - RESOURCE_TYPE (For a list of all resource families and resource types, see )
    All-resources
    Database-family
    Instance-family
    Object-family
    Virtual-network-family
    Volume-family

Terraform Links:

Compartments

Compartment = a logical collection of resources
Subcompartments = up to 6 levels. A subcompartment inherits higher level policies
Some resource can't be assigned to a different compartment after creation.
Root comportment exists by default and resources could get assigned to it if nothing else is selected

Terraform links:

Federation

Supported methods:

Oracle IDCS
Microsoft AD
Any SAML2.0 protocol compatible service

Federation setup

A federation trust is established between Identity Providers (IdP) and OCI
A user accessing the OCI console will be presented with SSO
IdP authenticates users and then users can access the OCI resources

Terraform links:

Tagging

There are 2 types of tags:

Free form tags {Key:value}
Defined tags
- Namespace key - can't be deleted, but retired.

Terraform links:

Resource Locations

Global
- IAM
- Key Vaults, Keys
- DNS
Availability Domain
- Subnet
- Compute instances
- Block Volume
- DB Systems
- File System ( & Mount Target)
- Ephemeral Public IPs
Regional
- Everything else