Dynamic Groups in OCI

Dynamic Groups in OCI

January 24, 2024 | seedling, permanent

tags :

OCI construct #

users(human) -> principal (machine) ref

  • Dynamic groups allow you *to group Oracle Cloud Infrastructure compute instances as “principal”

actors (similar to user groups)*.

JAK: Groups for machines.

  • machines are principal actors in this group
  • You can then create policies to permit instances to make API calls against Oracle Cloud Infrastructure services.
  • When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. JAK: member machines are added based rules, hence the name dynamic.
  • For example, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment.

Required IAM Policy🔗 #

If you’re in the Administrators group, then you have the required access for managing dynamic groups.

Working with Dynamic group #

A dynamic group has no permissions until you write at least one policy that gives that dynamic group permission to either the tenancy or a compartment.

Examples #

Policies #

Policies that govern these dynamic groups should be written in parent compartment.

“devops-family” is aggregate group for all the devops resources

  • 1 policy is required for the devops user group
  • 1 or more for the devops dynamic groups

Links to this note