Copy Objects Across Tenancies Within a Region

This post was developed jointly with Mohamad Charaf, Oracle Enterprise Cloud Architect.

If you have two tenancies in the same region, and you want to copy data that is stored in Object Storage from one tenancy to the other without making the buckets public, this action requires some additional types of identity and access management (IAM) policies.

This blog post walks you through how to create these policies. For this example, the source tenancy is named ACMEBMCS and the destination tenancy is named ACMEOCISA. In ACMEBMCS, the Object Storage buckets are in the benchmark compartment. In ACMEOCISA, the target compartment is oracleexa.

The following activities are required to enable copying across tenancies:

1. Object Storage needs permission to access the source and the destination buckets.

2. Both the source and destination tenancies require IAM policies to permit the copy. The tenancy that is the destination for the copy must have a policy with at least the following permissions:

   Copy code snippet

   Copied to Clipboard

   Error: Could not Copy

   Copied to Clipboard

   Error: Could not Copy

   define tenancy CopySourceTenancy as <ocid_for_source_tenancy>
   
   define group CopySourceGroup as <ocid_for_group_in_source_tenancy>
   
   admit group CopySourceGroup of tenancy CopySourceTenancy to {OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE} in tenancy</ocid_for_group_in_source_tenancy></ocid_for_source_tenancy>

3. The source tenancy of the copy operation must have policies in place with at least the following permissions:

   Copy code snippet

   Copied to Clipboard

   Error: Could not Copy

   Copied to Clipboard

   Error: Could not Copy

   define tenancy CopyDestinationTenancy as <ocid_for_destination_tenancy>
   
   endorse group <group_name_in_source_tenancy> to {OBJECT_READ, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_INSPECT, OBJECT_DELETE} in tenancy CopyDestinationTenancy</group_name_in_source_tenancy></ocid_for_destination_tenancy>

Using the console UI, the following policies were created for this example:

Source Tenancy Policy

Target Tenancy Policy

The instance principal from the destination tenancy initiates the copy process.

This example used object copy within the same region. If you're interested in cross-region copy, you can essentially use the same IAM policies and permissions. We've created a repository of guides especially for managing object storage with IAM polices using Terraform.

For additional background reading, review our foundational blog post on IAM best practices.