Configuring IAM Policies

Configure IAM policies for management External KMS private endpoint, vault and keys.

External KMS enables you to configure IAM policies to manage (create, modify, or delete) External KMS private endpoints, vaults, and keys in a tenancy or specific compartment.

Policy example to manage External KMS private endpoint

Create a policy to manage (create, update and delete) External KMS private endpoints in the tenancy or a specific compartment.

ALLOW GROUP <group-name> TO manage ekms-private-endpoints IN compartment <compartment-name>

Examples

ALLOW GROUP dataflow-sql-endpoint-admin TO manage ekms-private-endpoints IN compartment compartment1

Policy example to manage virtual networks

The External KMS private endpoints need a policy to manage Virtual Networks too. You must create a policy to manage virtual network in the tenancy or a specific compartment.

ALLOW GROUP <group-user> TO manage virtual-network-family IN compartment <compartment-name>
ALLOW GROUP dataflow-sql-endpoint-admin TO manage virtual-network-family IN compartment compartment1

Policy example to read External KMS private endpoints in a tenancy or specific compartment

Create a policy that allows you to read external KMS private endpoints in the tenancy or a specific compartment.

ALLOW GROUP <group-name> TO read ekms-private-endpoints IN compartment <compartment-name>

Examples

ALLOW GROUP dataflow-sql-endpoint-admin TO read ekms-private-endpoints IN compartment compartment1

Policy example to list External KMS private endpoints in a tenancy or specific compartment

Create a policy that allows you to list external KMS private endpoints in the tenancy or a specific compartment.

ALLOW GROUP <group-name> TO inspect ekms-private-endpoints IN compartment <compartment-name>

Examples

ALLOW GROUP dataflow-sql-endpoint-admin TO inspect ekms-private-endpoints IN compartment compartment1

Policy example to manage Vaults

Create a policy that allows a user to manage vaults in a specific compartment.

Allow group <group-name> to manage vaults in compartment <compartment-name>

Examples

Allow group SecurityAdmins to manage vaults in compartment1

Policy example to manage Keys

Create a policy that allows a user to manage keys in a specific compartment.

Allow group <group-name> to manage keys in compartment <compartment-name>

Examples

Allow group SecurityAdmins to manage keys in compartment1

For policies related to vaults and key remain same as OCI KMS. For more information, see Key Management Service Policies.

For information about how admins can use IAM policy to manage vaults and keys, see Configure IAM Policies for Vault and Keys