Configuring Identity and Access Management (IAM) policies to use Full Stack DR

January 18, 2023 | 6 minute read
Suraj Ramesh
Principal Product Manager
Text Size 100%:

Oracle Cloud Infrastructure (OCI) Full Stack Disaster Recovery manages the transition of infrastructure, platforms, and applications between OCI regions from around the globe with a single click using OCI Console, CLI, and REST API.

OCI Identity and Access Management (IAM) lets you control who has access to your cloud resources. You can control the type of access a group of users has and which specific resources. It is recommended to write policies to enforce least privilege and gradually adding permission when required. We are going to assign only the required policies for using Full Stack DR to securely manage and control access to OCI resources. For more details refer to best practices of IAM in OCI.

In this blog post, we will go through the process of an OCI administrator creating various OCI IAM components like users, groups, dynamic groups, policies, etc., which are required to use Full Stack DR and other IAM policies to interact with OCI core services. Refer to OCI IAM documentation to understand more about various IAM components. Finally, we will verify accessing Full Stack DR by logging into the newly created OCI user.

1. Create a user for managing Full Stack DR

a. Login to the OCI console with administrator credentials and select your home region.

b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Users->Create user. Provide First name, Last name, Email id, and click Create

Create user

You will get an email (provided above) about activating the user account and must follow the instructions to activate the account.

2. Create a group

a. Login to the OCI console with administrator credentials and select your home region.

b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Groups->Create group. Provide Name, Description, and select users to assign this group. You should select the user, which you created in Step 1 and click Create.

Create group

 

3. Create a policy and provide access to Full Stack DR

a. Login to the OCI console with administrator credentials and select your home region.

b. From the menu, navigate to Identity & Security -> Policies-> Create Policy. Provide Name, Description, Compartment, Policy Builder, enable Show manual editor and add the Policy below.

Select the right compartment details where you will create the Policy. In this example, I am selecting compartment "suraj"

 

Allow group FullStackDRGroup to manage disaster-recovery-family in compartment suraj

You should use the correct group name (created in step 2) and compartment name in the policy syntax.

 

Create policy

 

In the policy syntax, I have provided “manage disaster-recovery-family” access for using Full Stack DR. If you need to have granular access to different Full Stack DR resource types, you have that option as well. Refer to Full Stack DR policies documentation for more details and modify the policies accordingly.

4. Add policies to access other OCI services

Full Stack DR implements disaster recovery workflows by managing other OCI resources such as Computes, Databases, Block Storage, Object Storage, Functions,Vaults, Virtual Cloud Network, and more.

We will add these below policies to the policy "fullstackdr-policy" created in step 3. Policies can be modified depending on the resource types (members) which are used with Full Stack DR.
 

     Allow group FullStackDRGroup to manage buckets in compartment suraj
     Allow group FullStackDRGroup to manage objects in compartment suraj
     Allow group FullStackDRGroup to manage databases in compartment suraj
     Allow group FullStackDRGroup to manage autonomous-databases in compartment suraj
     Allow group FullStackDRGroup to manage instance-family in compartment suraj
     Allow group FullStackDRGroup to manage instance-agent-command-family in compartment suraj
     Allow group FullStackDRGroup to manage volume-family in compartment suraj
     Allow group FullStackDRGroup to read virtual-network-family in compartment suraj
     Allow group FullStackDRGroup to use subnets in compartment suraj
     Allow group FullStackDRGroup to use vnics in compartment suraj
     Allow group FullStackDRGroup to use network-security-groups in compartment suraj
     Allow group FullStackDRGroup to use private-ips in compartment suraj
     Allow group FullStackDRGroup to read fn-app in compartment suraj
     Allow group FullStackDRGroup to read fn-function in compartment suraj
     Allow group FullStackDRGroup to use fn-invocation in compartment suraj
     Allow group FullStackDRGroup use tag-namespaces in compartment suraj
     Allow group FullStackDRGroup read vaults in compartment suraj
     Allow group FullStackDRGroup read secret-family in compartment suraj
     Allow group FullStackDRGroup to manage load-balancers in compartment suraj
     Allow group FullStackDRGroup to manage network-load-balancers in compartment suraj
     Allow group FullStackDRGroup to manage file-family in compartment suraj

a. Login to the OCI console with administrator credentials and select your home region.

b. From the menu, navigate to Identity & Security -> Policies-> select the policy created in Step 3-> select Edit Policy Statements->Policy Builder->Advanced

Copy the list of policies as above and hit save changes. Verify whether all the added policies are reflected correctly.

You should use the correct group name (created in step 2) and compartment name in the policy syntax.

Modify policy

 

Refer to the complete set of services that current integrate with Full Stack D.  Based on the documentation, you can provide restrictive access to other OCI services.

5. Create a Dynamic Group and modify the Policy

Full Stack DR has a option to definie more flexible groups called User-Defined Plan groups. You can add user-defined groups and steps to a Disaster Recovery (DR) plan once Full Stack DR has generated the initial DR plan with built-in groups and the default steps. User-Defined Plan groups can be created to execute scripts using Oracle cloud agent on compute instances. For this, we need to create Dynamic group and add right matching rules for the compute instances. Dynamic groups allow you to group OCI compute instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against OCI Services.

a. Login to the OCI console with administrator credentials and select your home region.

b. From the menu, navigate to Identity & Security ->Domains-> Default Domain->Dynamic Groups->Create Dynamic Group. Provide Name, Description, Matching rules-> Match any rules defined below -> In Rule 1, provide the below details. Make sure you modify your compartment OCID -> click Create . You can narrow it down to specific instances, if so use instance.id.

Dynamic group

 

c. Update the "fullstackdr-policy" policy with dynamic group allow commands

Allow dynamic-group fullstackdr-dg to use instance-agent-command-execution-family in compartment suraj

6. Verify Full Stack DR access

You have now set up all of the necessary prerequisites. You should now login into the OCI console as the user (created in step 1) and verify the Full Stack DR functionality. Please make sure you have the necessary user credentials before proceeding further.

a. Login to the OCI console with user credentials and select your home region.

b. From the menu, navigate to Migration and Disaster Recovery->Disaster Recovery->DR Protection Groups

Now you should be able to Create a DR protection group and start working with Full Stack DR.

 

Full Stack DR

 

As part of this blog series, we will discuss various components in OCI Full Stack DR and multiple use cases  as well as tips and tricks to take full advantage of Full Stack DR in subsequent blogs. Please stay tuned for the next blog post in the series!!

Additonal Information

Full Stack Disaster Recovery OCI Full Stack Disaster Recovery

Full Stack Disaster Recovery Documentation

 

 

 

 

 

 

Suraj Ramesh

Principal Product Manager

Principal Product Manager, part of the Oracle Database MAA PM team.Currently responsible for OCI Full Stack Disaster Recovery Cloud Service, Oracle Site Guard, General MAA focus,and Online Reorganization and Redefinition.

Before this role In Oracle, Suraj worked as Solution Architect for Oracle Technology products and OCI. Before joining Oracle, Suraj played various roles like Oracle DB Consultant, Solution architect across major IT Companies supporting global customers and completed various professional certifications in Oracle Database, Oracle Cloud, and associate certifications in AWS and Azure.


Previous Post

ODSA disaster recovery best practices: Exadata Database and Base Database services

Andrea Marchesini | 10 min read

Next Post


TruffleRuby on OCI Container Instances

Ewan Slater | 5 min read