Overview of IAM in Oracle Cloud Infrastructure
This blog post introduces the Oracle® Cloud Infrastructure (OCI) Identity and Access Management (IAM) components and shows some features that help you to manage Oracle cloud resources.
The post identifies the types of access for specific resources that you can assign to a group of users and how you can federate OCI with Oracle Identity Cloud Service (IDCS).
Components of IAM
IAM includes the following components:
Resource: A resource is an object created in OCI, such as Compute instances, blocks, virtual cloud networks (VCNs), and subnets.
User: A user is assigned to a group that provides limited privileges and access to OCI resources according to the tenancy and compartment policies for the group.
Group: A group is a collection of users that have access to the same OCI resources. A user can be a member of one or more groups.
Dynamic group: A dynamic group provides security and enables you to manage keys on the client-side rather than the server-side. A dynamic group can link specific instances in the compartment. You can assign a policy to a dynamic group to provide access to a specific instance to access through an application programmer interface (API).
Compartment: A compartment is a global logical container where you can enforce the policies and provide control access to Compute, Storage, Network, Load Balancer, and other resources. For example, you can use a policy to restrict users, other than administrators, from using the resources created in that compartment.
Tenancy: A tenancy is the default root compartment and contains all OCI resources. Within the tenancy, administrators can create one or more compartments, users, and groups. The administrators can then assign policies that allow groups to use resources within a compartment.
Policy: A policy defines who can access resources at group and compartment levels with the following access levels:
Region: A region is a geographical location in which IAM resources reside. IAM service resources are global and can have a single tenancy across multiple regions. Oracle propagates changes made in the home region to all the regions.
Federation: Federation is a mechanism between two or more parties acting as an identity provider and service provider. It manages users and groups in the identity provider. IDCS provides federation for OCI by default.
This section describes the source of resources, resource identifiers, and resource limits.
Scope of resources
Because IAM defines resources as global, they are available across all the regions and availability domain components.
An OCI resource uses a unique name (OCID) with the following syntax:
The OCID placeholders include the following elements:
ocid1: OCID version.
resource-type: The type of resources, such as instance, volume, VCN, subnet, user, or group.
realm: The realm contains a set of regions and shares entities with availability domains. A realm can have the following values:
- oc1: commercial realm
- oc2: Government Cloud realm
- oc3: Federal Government Cloud realm.
An IAM limit is the IAM resources quota that controls the maximum number of Compute instances in the availability domain.
To view the tenancy's limits and usage by region, perform the following steps:
- Open the IAM console.
- Open the User menu and click Tenancy.
- Click Service Limits.
When an instance reaches the service limit for a specific resource, you can submit a request to increase the service limit and create new resources as needed.
To request a service limit increase, perform the following steps:
- Open the Help menu, go to Support, and click Request service limit increase.
- Enter the following details:
- Primary contact details
- Service category
- Reason for the request
- Click Submit Request.
Federate with identity providers
OCI supports federation for the following components and identity providers:
Microsoft® Active Directory®
Microsoft Azure® Active Directory
Identity providers that support Security Assertion Markup Language (SAML) 2.0 protocol
In the examples in this blog post, I use IDCS as the identity provider.
Steps to federate with IDCS
Perform the following steps to federate with IDCS:
Step 1: Get the required information from IDCS
Log in to the OCI IDCS console with admin privileges.
In the IDCS console, click Applications.
Expand General Information to display the Client ID.
Click Show Secret to see the Client Secret.
Save the Client ID and the Client Secret.
Step 2: Add the identity provider in OCI
Sign in to the console with your OCI login credentials.
Open the Governance and Administration navigation menu and click Identity -> Federation.
Click Add identity provider.
- Enter the following details:
- Name: The name must be unique across all identity providers. Oracle adds the name to the tenancy, and you cannot modify it.
- Description: A clear description.
- IDCS Base URL: The resource URL.
- Client ID: The client identifier that you collected previously.
- Client secret: The client secret that you previously collected.
- Click Show Advanced Options and enter the following details:
- Encrypt Assertion: Select the checkbox to enable encryption from the IDP. If you do not select this checkbox, you must set up encryption of the assertion in IDCS.
- Tags: You can also apply tags if you have permission to create a resource. To apply a defined tag, you must have permission to use the tag namespace.
- Click Continue.
- Define the mappings between IDCS groups and IAM groups in OCI. You can map IDCS groups to zero, one, or multiple IAM groups, and vice versa.
The Federation page now shows the identity provider in the tenancy list. Oracle assigns the OCID to each group mapping.
Step 3: Set up the IAM policies for the groups
Follow your standard procedure to set up the IAM policies for the groups.
Step 4: Give the federated users the tenant and URL
Provide the federated users with the name of the tenant and the sign-in URL. The URL should be similar to the following example:
Manage identity providers in the console
This section provides the steps to delete an identify provider and to add, update, or delete group mappings for IDCS.
Delete an identity provider
To delete an identity provider, perform the following steps:
- Delete the Identity Provider from the tenancy.
- Open the Governance and Administration navigation menu and click Identity -> Federation to see the list of Identity Providers in the tenancy.
- Click on the Identity Provider that you want to delete to view its details.
- Click Delete and confirm.
- Delete the tenancy from the IDCS account.
- Open the IDCS console and sign in to the federated account.
- Click Applications to display the list of applications.
- Find the tenancy and click on its name to view the details page.
- Click Deactivate and confirm.
- Click Remove and confirm.
Add group mappings for IDCS
To add group mappings for IDCS, perform the following steps:
Open the Governance and Administration navigation menu and click Identity to display a list of the identity providers in the tenancy.
Click Federation and click on the IDCS federation name to view its details.
Click Edit Provider Details.
- Add at least one mapping.
- Click + Add Mapping.
- Select an IDCS group from the Identity Provider Group list.
- Select the IAM group to get the list of OCI Groups.
- Select New OCI Group to create a new OCI group in IAM, rather than a new IAM group, and map the new OCI group to the IDP group.
- Repeat step 4 for each mapping and click Submit after you have added all the mappings.
Update or delete a group mapping
To update or delete a group mapping, perform the following steps:
Open the Governance and Administration navigation menu and click Identity -> Federation to display the list of Identity Providers in the tenancy.
Click on an Identity Provider to see the details.
Click Edit Mapping.
Update the mappings or click on X to delete the mapping.
This blog post describes how different IAM components work together and how you can federate multiple IDCS accounts in OCI.
Use the Feedback tab to make any comments or ask questions. You can also chat now to start the conversation.