MySQL HeatWave User Guide  /  ...  /  Configuring a Tenancy for Resource Principal Data Loading Configuring a Tenancy for Resource Principal Data Loading

This section describes how to define the dynamic group and policy required to enable your HeatWave DB System to access an OCI Object Storage bucket.


It is assumed you have read the prerequisites and instructions documented here: Managing Dynamic Groups and are familiar with Oracle Cloud Infrastructure Identity and Access Management (IAM) groups and policies.

Dynamic Group

Dynamic groups allow you to group MySQL HeatWave Service DB Systems as principal actors, similar to user groups. You can then create policies to permit DB Systems in these groups to make API calls against services, such as Object Storage. Membership in the group is determined by a set of criteria called matching rules.

The following example shows a matching rule including all DB Systems in the defined compartment:

"ALL{resource.type='mysqldbsystem', = 'ocid1.compartment.oc1..alphanumericString' }"

Dynamic groups require a name, description, and matching rule.

For more information, see Writing Matching Rules to Define Dynamic Groups.


Policies define what your groups can and cannot do. For HeatWave Lakehouse to access Object Storage, you must define a policy which grants the dynamic group's resources access to buckets and their contents in a specific compartment.

For example, the following policy grants the dynamic group Lakehouse-dynamicGroup read-only access to the buckets and objects contained in those buckets in the compartment Lakehouse-Data:

allow dynamic-group Lakehouse-dynamicGroup to read buckets in compartment Lakehouse-Data
allow dynamic-group Lakehouse-dynamicGroup to read objects in compartment Lakehouse-Data

For more information, see Writing Policies for Dynamic Groups.