Yesterday…
… I got a question from a good friend in my company who had this use case in Oracle Cloud Infrastructure – thanks Roli from Lucerne for the input for this blog post, the next “Zwätschgelutz” is offered by me.
When several OCI compute instances are available in same compartment, how can a user be restricted to just start and stop one of these machines?
I have extended this question: How to restrict users to start and stop a subset of Compute Instances in the same compartment. In my use-case, a Windows and Linux admin group is working together in the same compartment. The first question how to restrict instance actions on level start and stop was easy to solve with this IAM policy condition:
request.permission='INSTANCE_POWER_ACTIONS'
For the instance limitation, my first idea was to go through the IAM policy reference list to search for a resource-type like target.instance.id (as Roli mentioned) for use in a group policy. There are general variables available like target.compartment.id, but nothing for a specific OCID. At the bottom of this list, there was the magic term: target.resource.tag. With this variable, the IAM policy idea was born. But first, we need a new tag namespace…
This is how it looks in the lab compartment. The goal is to create an user who can start and stop Windows instances only.
Step-by-Step Guide
1. Create a Tag Namespace with a Select List
A new namespace is created, located in the same compartment where the Compute Instances are running.
Tenancy-Management – Tag Namespaces – Create Tag Namespace
In Tag Namespace Details, we add a Tag Key Definition with the two values. Two values to identify the operating system are added as list of values.
2. Create a Group called grp-oracle-lab-win-user
A new IAM group and a user is required. In this example, a group and a user to manage Windows Compute instances is created.
3. Create a User called oracle-lab-win-user add it to the Group
4. Create a Policy
A new policy is added, located in the same compartment where the Compute Instances are running with these two statements. The statement to read the instances is necessary to make the Compute Instances visible to the user.
allow group grp-oracle-lab-win-user to manage instances in compartment oracle-lab
where all {request.permission='INSTANCE_POWER_ACTIONS', target.resource.tag.startup.os = 'windows'}
allow group grp-oracle-lab-win-user to read instances in compartment oracle-lab
5. Tag the Compute Instances
Select the Compute Instance – More Actions – Add tags. Here you see the namespace and the values what we defined.
The added tag is visible in the Compute Instance dashboard in tab Tags. Repeat it for all Windows OS instances.
Startup Compute Instances
Test 1 – Windows
Login as user oracle-lab-win-user and start a Windows instance – works.
Test 2 – Linux
Try to start a Linux instance – it fails.
Summary
It’s a good practice to tag cloud resources for cost control and resource management. But tags can do more than just that. As you can see in this example here, with tags you are able to control resource actions on a fine-grained level. And this method can be used for all kinds of Oracle Cloud Infrastructure resources like database service, autonomous database and many more.
Here are some useful links about tagging:
- Oracle Blog: https://blogs.oracle.com/cloud-infrastructure/post/best-practices-for-using-tags-to-manage-costs-operations-and-governance
- Christoph Ruepprich: OCI CLI: Query By Tags – Christoph’s 2 Cents (ruepprich.com)
- A-Team: Implementing Naming Convention for OCI Resources using Tagging (ateam-oracle.com)
