Create Policies to Control Access to Network and Function-Related Resources

Before users can start using Oracle Functions to create and deploy functions, as a tenancy administrator you have to create a number of Oracle Cloud Infrastructure policies to grant access to function-related and network resources. You have to:

See Details for Functions for more information about policies.

Summary of Policies to Create for Oracle Functions

Policy to give: Where to create the policy: Statement: More information and examples:
Users access to repositories in Oracle Cloud Infrastructure Registry Root compartment Allow group <group-name> to manage repos in tenancy

Allow group <group-name> to read objectstorage-namespaces in tenancy

Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories

Users access to function-related resources Compartment that owns function-related resources Allow group <group-name> to manage functions-family in compartment <compartment-name>

Allow group <group-name> to read metrics in compartment <compartment-name>

Create a Policy to Give Oracle Functions Users Access to Function-Related Resources

Users access to network resources Compartment that owns network resources Allow group <group-name> to use virtual-network-family in compartment <compartment-name>

Create a Policy to Give Oracle Functions Users Access to Network Resources

Oracle Functions service access to network resources

Root compartment

Allow service FaaS to use virtual-network-family in compartment <compartment-name>

Create a Policy to Give the Oracle Functions Service Access to Network Resources

Oracle Functions service access to repositories in Oracle Cloud Infrastructure Registry

Root compartment

Allow service FaaS to read repos in tenancy

Create a Policy to Give the Oracle Functions Service Access to Repositories in Oracle Cloud Infrastructure Registry

Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories

When Oracle Functions users work with functions, they have to access repositories in Oracle Cloud Infrastructure Registry. Users can only access repositories that the groups to which they belong have been granted access. To enable users to access a repository, you must create an identity policy to grant the groups access to that repository.

To create a policy to give Oracle Functions users access to repositories in Oracle Cloud Infrastructure Registry:

  1. Log in to the Console as a tenancy administrator and create a new policy in the root compartment:

    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-ocir-access).
  2. Specify a policy statement to enable the group to obtain the auto-generated Object Storage namespace string of the tenancy (required to log in to Oracle Cloud Infrastructure Registry):

    Allow group <group-name> to read objectstorage-namespaces in tenancy

    where <group-name> is the name of the group to which users using Oracle Functions belong.

    For example:

    Allow group acme-functions-developers to read objectstorage-namespaces in tenancy

    The above policy statement also provides access to function logs stored in a storage bucket in Oracle Cloud Infrastructure Object Storage (see Storing and Viewing Function Logs).

  3. Specify a policy statement to give the group access to repositories in Oracle Cloud Infrastructure Registry:

    Allow group <group-name> to manage repos in tenancy

    where <group-name> is the name of the group to which users using Oracle Functions belong.

    For example:

    Allow group acme-functions-developers to manage repos in tenancy

    The above policy statement gives the group permission to manage all repositories in the tenancy. If you consider this to be too permissive, then you can restrict the repositories to which the group has access by including a where clause in the manage repos statement. Note that if you do include a where clause, you must also include a second statement in the policy to enable the group to inspect all repositories in the tenancy (when using the Console).

    For example, the following policy statements restrict the group to accessing only repositories with names that start 'acme-web-app', but also enables the group to inspect all repositories in the tenancy:

    Allow group acme-functions-developers to inspect repos in tenancy
    
    Allow group acme-functions-developers to manage repos in tenancy where all {target.repo.name=/acme-web-app*/ }
    						
  4. Click Create.

Create a Policy to Give Oracle Functions Users Access to Function-Related Resources

When Oracle Functions users create functions and applications, they have to specify a compartment for those function-related resources (including for metrics emitted by Oracle Functions). Users can only specify a compartment that the groups to which they belong have been granted access. To enable users to specify a compartment, you must create an identity policy to grant the groups access to that compartment.

To create a policy to give Oracle Functions users access to function-related resources in the compartment that will own those resources:

  1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own Oracle Functions resources:
    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-access).
  2. Specify a policy statement to give the group access to all function-related resources in the compartment:

    Allow group <group-name> to manage functions-family in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to manage functions-family in compartment acme-functions-compartment
  3. Specify a second policy statement to give the group access to metrics emitted by Oracle Functions:

    Allow group <group-name> to read metrics in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to read metrics in compartment acme-functions-compartment
  4. Click Create.

Create a Policy to Give Oracle Functions Users Access to Network Resources

When Oracle Functions users create a function or application, they have to specify a VCN and a subnet in which to create them. Users can only specify VCNs and subnets in compartments that the groups to which they belong have been granted access. To enable users to specify a VCN and subnet, you must create an identity policy to grant the groups access to the compartment.

To create a policy to give Oracle Functions users access to network resources:

  1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own network resources:
    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

    2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-network-access).
  2. Specify a policy statement to give the group access to the network resources in the compartment:

    Allow group <group-name> to use virtual-network-family in compartment <compartment-name>

    For example:

    Allow group acme-functions-developers to use virtual-network-family in compartment acme-network
  3. Click Create.

Create a Policy to Give the Oracle Functions Service Access to Network Resources

When Oracle Functions users create a function or application, they have to specify a VCN and a subnet in which to create them. To enable the Oracle Functions service to create the function or application in the specified VCN and subnet, you must create an identity policy to grant the Oracle Functions service access to the compartment to which the network resources belong.

To create a policy to give the Oracle Functions service access to network resources:

  1. Log in to the Console as a tenancy administrator.
  2. Create a new policy in the root compartment:
    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

    2. Follow the instructions in To create a policy, and give the policy a name (for example, functions-service-network-access).
    3. Specify a policy statement to give the Oracle Functions service access to the network resources in the compartment:

      Allow service FaaS to use virtual-network-family in compartment <compartment-name>

      For example:

      Allow service FaaS to use virtual-network-family in compartment acme-network
  3. Click Create.

Create a Policy to Give the Oracle Functions Service Access to Repositories in Oracle Cloud Infrastructure Registry

The Oracle Functions service must have read access to images stored for functions in repositories in Oracle Cloud Infrastructure Registry. To enable the Oracle Functions service to access repositories in Oracle Cloud Infrastructure Registry, you must create an identity policy.

To create a policy to give the Oracle Functions service access to repositories in Oracle Cloud Infrastructure Registry:

  1. Log in to the Console as a tenancy administrator.
  2. Create a new policy in the root compartment:
    1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

    2. Follow the instructions in To create a policy, and give the policy a name (for example, functions-service-repos-access).
    3. Specify a policy statement to give the Oracle Functions service access to all repositories in the tenancy:

      Allow service FaaS to read repos in tenancy

      The above policy statement gives the Oracle Functions service access to all repositories in the tenancy. If you consider this to be too permissive, then you can restrict the repositories to which Oracle Functions has access by including a where clause in the read repos statement.

      For example, the following policy statement restricts Oracle Functions to accessing only repositories with names that start 'acme-web-app':

      Allow service FaaS to read repos in tenancy where all {target.repo.name=/acme-web-app*/ }
      						
  3. Click Create.