Related Documentation Download this Manual
PDF (US Ltr) - 2.1Mb
PDF (A4) - 2.1Mb


HeatWave User Guide  /  ...  /  Configuring a Tenancy for Resource Principal Data Loading

5.5.2.1 Configuring a Tenancy for Resource Principal Data Loading

This section describes how to define the dynamic group and policy required to enable the MySQL DB System to access an OCI Object Storage bucket.

Note

It is assumed you have read the prerequisites and instructions documented here: Managing Dynamic Groups and are familiar with Oracle Cloud Infrastructure Identity and Access Management (IAM) groups and policies.

Dynamic Group

Dynamic groups allow you to group MySQL DB Systems as principal actors, similar to user groups. You can then create policies to permit MySQL DB Systems in these groups to make API calls against services, such as Object Storage. Membership in the group is determined by a set of criteria called matching rules.

The following example shows a matching rule including all MySQL DB Systems in the defined compartment:

"ALL{resource.type='mysqldbsystem', resource.compartment.id = 'ocid1.compartment.oc1..alphanumericString' }"

Dynamic groups require a name, description, and matching rule.

For more information, see Writing Matching Rules to Define Dynamic Groups.

Policy

Policies define what your groups can and cannot do. For HeatWave Lakehouse to access Object Storage, you must define a policy which grants the dynamic group's resources access to buckets and their contents in a specific compartment.

For example, the following policy grants the dynamic group Lakehouse-dynamicGroup read-only access to the buckets and objects contained in those buckets in the compartment Lakehouse-Data:

Allow dynamic-group Lakehouse-dynamicGroup to read buckets in compartment Lakehouse-Data
Allow dynamic-group Lakehouse-dynamicGroup to read objects in compartment Lakehouse-Data

For more information, see Writing Policies for Dynamic Groups.

To setup resource principals when you have multiple identity domains, add the identity domain associated with the dynamic group as a prefix.

To setup resource principals when the DB system is located in a child compartment, provide the OCI ID of the child compartment associated with the DB system.

Syntax :

Allow dynamic-group 'Identity_Domain_Name'/'Dynamic_Group_Name' to read buckets in compartment id OCI_ID of the child compartment

Execute the following sample, to give access to dynamic group - Dynamic_group_mysqldb present in the identity domain - Corp_cloud_service, to read the DB system located in the child compartment with OCI ID - 'ocid1.compartment.oc1..alphanumericString'.

Allow dynamic-group 'Corp_cloud_service'/'Dynamic_group_mysqldb' to read buckets in compartment id ocid1.compartment.oc1..alphanumericString