Configure Dynamic Groups, Network Sources, and Tag-Based Access Control

Summary

Dynamic groups, network sources, and Tag-Based Access Control (TBAC) allow for a finer-grain of control over policies through tags and IP addresses more than provided by user, group, and compartment definitions.

Reference

• Infrastructure Services
• IAM without Identity Domains
• Managing Dynamic Groups
• Managing Network Sources
• Tagging

Dynamic Groups

The OCI CLI help text for oci iam dynamic-group says:

A dynamic group defines a matching rule. Every bare metal or virtual machine instance is deployed with an instance certificate. The certificate contains metadata about the instance. This includes the instance OCID and the compartment OCID, along with a few other optional properties. When an API call is made using this instance certificate as the authenticator, the certificate can be matched to one or multiple dynamic groups. The instance can then get access to the API based on the permissions granted in policies written for the dynamic groups.

This works like regular user/group membership. But in that case, the membership is a static relationship, whereas in a dynamic group, the membership of an instance certificate to a dynamic group is determined during runtime.…

A dynamic group is for compute instances (instance principals) so that access by those compute instances to resources such as services can be controlled. The dynamic group can only exist in a tenancy, not in any subcompartment of the tenancy. The name of the dynamic group is immutable.

To create a dynamic group that contains all compute instances in the Sandbox compartment, run the following commands:

export sandbox_comp_ocid=$( \
  oci iam compartment list  \
    --name 'Sandbox'        \
    --query 'data[0].id'    \
    --raw-output            \
)
oci iam dynamic-group create                                          \
  --name 'Sandbox-Servers'                                            \
  --description 'Compute instances in the Sandbox'                    \
  --matching-rule "instance.compartment.id = '${sandbox_comp_ocid}'"

The sample output is:

{
  "data": {
    "compartment-id": "ocid1.tenancy.oc1..aaaaaaaa7ilqdzmkbqduujc3tt6zrl2n2ytcughcjoidozg4memj2k4cm7na",
    "defined-tags": {
      "Oracle-Tags": {
        "CreatedBy": "default/tenancy_admin",
        "CreatedOn": "2024-07-12T20:31:31.690Z"
      }
    },
    "description": "Compute instances in the Sandbox",
    "freeform-tags": {},
    "id": "ocid1.dynamicgroup.oc1..aaaaaaaaleu3nq4i6viqsy3on7yps6q3hxwfdwrog2tyn2fc73rksrtlg7ua",
    "inactive-status": null,
    "lifecycle-state": "ACTIVE",
    "matching-rule": "instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaamoo6uz2qmix2adls2cgoqxxhdt4wuam3wbcrw6co6z4osweos6da'",
    "name": "Sandbox-Servers",
    "time-created": "2024-07-12T20:31:31.789000+00:00"
  },
  "etag": "b1e1ef5e1fe240cda8682db9c7db6589"
}

To find members, a query will have to be contructed that matches the matching-rule.

Network Sources

The help text for the oci iam network-sources command says:

A network source specifies a list of source IP addresses that are allowed to make authorization requests. Use the network source in policy statements to restrict access to only requests that come from the specified IPs.…

To create a network sources for web servers in the Sandbox, run the following command:

oci iam network-sources create                                           \
  --name 'Sandbox-Web-Servers'                                           \
  --description 'Authorised IP addresses for Web Servers in the Sandbox' \
  --public-source-list '["192.168.1.0/24"]'                              \
  --compartment-id ${OCI_CLI_TENANCY}

This failed with the following error messages because the always free account does not have access to network sources:

ServiceError:
{
    "client_version": "Oracle-PythonSDK/2.126.4, Oracle-PythonCLI/3.41.0",
    "code": "UserCapacityExceeded",
    "logging_tips": "Please run the OCI CLI command using --debug flag to find more debug information.",
    "message": "Maximum number of network source for IP-based policy [0] reached in tenant ocid1.tenancy.oc1..aaaaaaaa7ilqdzmkbqduujc3tt6zrl2n2ytcughcjoidozg4memj2k4cm7na",
    "opc-request-id": "F7C57B639C7843CABBB1B5919D31EF8A/24ED34561B43E5D30DBFB442FE411EAF/B68265767DF3721C5BA561861E20A702",
    "operation_name": "create_network_source",
    "request_endpoint": "POST https://identity.ap-sydney-1.oci.oraclecloud.com/20160918/networkSources",
    "status": 409,
    "target_service": "identity",
    "timestamp": "2024-07-12T21:28:39.917292+00:00",
    "troubleshooting_tips": "See [https://docs.oracle.com/iaas/Content/API/References/apierrors.htm] for more information about resolving this error. If you are unable to resolve this issue, run this CLI command with --debug option and contact Oracle support and provide them the full error message."
}

Note: The network sources must be specified in a tenancy, not in any sub-compartment.

Tag-Based Access Control

The study giude says:

• Tag-based access control (TBAC) allows to define policies with tags that span compartments, group, and resources
• Scope access based on the tags applied to resource
• TBAC = conditions + set of tag variables
• Access can be controlled bases on a tag:
• On the requesting resource (group, dynamic group, or compartment)
• On the target of the request (resource or compartment)

Tag variables are of the form:

• Requestor
• request.principal.group.tag.{tagnamespace}.{tagkey}='<value>'
• request.principal.compartment.tag.{tagnamespace}.{tagkey}='<value>'
• Target
• target.resource.tag.{tagnamespace}.{tagkey}='<value>'
• target.resource.compartment.tag.{tagnamespace}.{tagkey}='<value>'