Summary
The primary OCI CLI command is oci iam policy which has three (3) major subcommands: create; update; and delete. Policies are associated with a compartment. The policy statement is of the form ALLOW <principal> TO <access_level> <resource> IN {TENANCY|COMPARTMENT <compartment>} with an optional conditional clause, WHERE <condition>.
There are four (4) levels of access: inspect (lowest); read; use; and manage (highest).
References
Policy Definition
The help text for the oci iam policy command defines Policy as:
A document that specifies the type of access a group has to the resources in a compartment. For information about policies and other IAM Service components, see Overview of IAM. If you’re new to policies, see Get Started with Policies.
The word “policy” is used by people in different ways:
- An individual statement written in the policy language
- A collection of statements in a single, named “policy” document (which has an Oracle Cloud ID (OCID) assigned to it)
- The overall body of policies your organization uses to control access to resources
List All Policies in Tenancy
Run the following commands to list all policies in the tenancy:
oci iam policy list \
--compartment-id ${OCI_CLI_TENANCY} \
--query 'data[*].[description,name,statements]'
The sample output is:
[
[
"Temporary policy for /bootstrapDefaultDomain API's whitelisted services. Gives access to IAM work request APIs and ability to delete these policy when access is no longer needed.",
"BootstrapProvisioning",
[
"ALLOW SERVICE tenancylifecycleservice to {IAM_WORKREQUEST_READ, IAM_WORKREQUEST_INSPECT} IN TENANCY",
"ALLOW SERVICE tenancylifecycleservice to {POLICY_DELETE} IN TENANCY where target.policy.name='BootstrapProvisioning'"
]
],
[
"PSM managed compartment root policy",
"PSM-root-policy-compartments",
[
"allow service PSM to manage all-resources in compartment managedcompartmentforpaas",
"allow service OracleEnterpriseManager to manage all-resources in compartment managedcompartmentforpaas",
"allow service PSM to manage users in tenancy where target.user.name = /__PSM*/",
"allow any-user to manage all-resources in compartment managedcompartmentforpaas where request.user.name = /__PSM*/",
"allow any-user to manage all-resources in compartment managedcompartmentforpaas where request.instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa6wcn7fgccosatmofyxgmgtrntfqd6wcitewbdyjlc2rbjptwq5oq'",
"allow service PSM to inspect tenant in tenancy",
"allow service PSM to inspect compartments in tenancy"
]
],
[
"Tenant Admin Policy",
"Tenant Admin Policy",
[
"ALLOW GROUP Administrators to manage all-resources IN TENANCY"
]
],
[
"VNPA-Exec-Policy description",
"VNPA-Tenancy-Policy",
[
"allow any-user to inspect compartments in tenancy where all { request.principal.type = 'vnpa-service' }",
"allow any-user to read instances in tenancy where all { request.principal.type = 'vnpa-service' }",
"allow any-user to read virtual-network-family in tenancy where all { request.principal.type = 'vnpa-service' }",
"allow any-user to read load-balancers in tenancy where all { request.principal.type = 'vnpa-service' }",
"allow any-user to read network-security-group in tenancy where all { request.principal.type = 'vnpa-service' }"
]
]
]
List All Policies in Sandbox
To list all policies in the Sandbox compartment, run the following commands:
sandbox_ocid=$( \
oci iam compartment list \
--compartment-id ${OCI_CLI_TENANCY} \
--query 'data[0].id' \
--name "Sandbox" \
--raw-output \
)
oci iam policy list \
--compartment-id ${sandbox_ocid} \
--query 'data[*].{name:name,description:description,statements:statements}' \
--output table
Sample output is:
+-------------------------+-----------------+-----------------------------------------------------------------------------------------+ | description | name | statements | +-------------------------+-----------------+-----------------------------------------------------------------------------------------+ | Policies for oci admins | oci-admin-group | ["Allow group 'Test'/'oci-admin-group' to manage all-resources in compartment Sandbox"] | +-------------------------+-----------------+-----------------------------------------------------------------------------------------+
Manage Policies
According to the help text for the oci iam policy command, there are three (3) verbs to manage policies:
- create
- delete
- update
Policy Statement Structure
According to Policy Syntax, the structure of a policy statement is:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>Policy Subjects
<subject> is one of:
any-user(avoid in favour ofany-group)any-group(includes all groups and instance principals)group<group_name>group id<group_ocid>dynamic-group<dynamic_group_name>dynamic-group id<dynamic_group_id>service<service_name>service id<service_ocid> (I assume this exists based on other variables)- <user_name>
id<user_ocid> (I assume this exists based on other variables)
Note that service, service id, and id are not mentioned in the OCI documentation.
Policy Verbs
According to Verbs, <verb> is one of:
inspect: Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource.read: Includesinspectplus the ability to get user-specified metadata and the actual resource itself.use: Allowsinspectandreadas well as updating a resource unless the updating is equivalent to resource creation.manage: Allows all access to the resource, including creation and deletion.