Oracle Cloud Infrastructure Documentation

Create Policies to Control Access to Network and Function-Related Resources

Before users can start using Oracle Functions to create and deploy functions, as a tenancy administrator you have to create a number of Oracle Cloud Infrastructure policies to grant access to function-related and network resources. You have to:

See Details for Functions for more information about policies.

Summary of Policies to Create for Oracle Functions

Policy to give: Where to create the policy: Statement: More information and examples:
Users access to repositories in Oracle Cloud Infrastructure Registry Root compartment Allow group <group-name> to manage repos in tenancy
  • Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories
  • Users access to function-related resources Compartment that owns function-related resources Allow group <group-name> to manage functions-family in compartment <compartment-name>

    Create a Policy to Give Oracle Functions Users Access to Function-Related Resources

    Users access to network resources Compartment that owns network resources Allow group <group-name> to use virtual-network-family in compartment <compartment-name>

    Create a Policy to Give Oracle Functions Users Access to Network Resources

    Oracle Functions service access to network resources

    Root compartment

    Allow service FaaS to use virtual-network-family in compartment <compartment-name>

    Create a Policy to Give the Oracle Functions Service Access to Network Resources

    Oracle Functions service access to repositories in Oracle Cloud Infrastructure Registry

    Root compartment

    Allow service FaaS to read repos in tenancy

    Create a Policy to Give the Oracle Functions Service Access to Repositories in Oracle Cloud Infrastructure Registry

    Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories

    When Oracle Functions users work with functions, they have to access repositories in Oracle Cloud Infrastructure Registry. Users can only access repositories that the groups to which they belong have been granted access. To enable users to access a repository, you must create an identity policy to grant the groups access to that repository.

    To create a policy to give Oracle Functions users access to repositories in Oracle Cloud Infrastructure Registry:

    1. Log in to the Console as a tenancy administrator and create a new policy in the root compartment:

      1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

      2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-ocir-access).
    2. Specify a policy statement to give the group access to repositories in Oracle Cloud Infrastructure Registry:

      Allow group <group-name> to manage repos in tenancy

      where <group-name> is the name of the group to which users using Oracle Functions belong.

      For example:

      Allow group acme-functions-developers to manage repos in tenancy

      The above policy statement gives the group permission to manage all repositories in the tenancy. If you consider this to be too permissive, then you can restrict the repositories to which the group has access by including a where clause in the manage repos statement. Note that if you do include a where clause, you must also include a second statement in the policy to enable the group to inspect all repositories in the tenancy (when using the Console).

      For example, the following policy statements restrict the group to accessing only repositories with names that start 'acme-web-app', but also enables the group to inspect all repositories in the tenancy:

      Allow group acme-functions-developers to inspect repos in tenancy
      
      Allow group acme-functions-developers to manage repos in tenancy where all {target.repo.name=/acme-web-app*/ }
      						
    3. Click Create.

    Create a Policy to Give Oracle Functions Users Access to Function-Related Resources

    When Oracle Functions users create functions and applications, they have to specify a compartment for those function-related resources. Users can only specify a compartment that the groups to which they belong have been granted access. To enable users to specify a compartment, you must create an identity policy to grant the groups access to that compartment.

    To create a policy to give Oracle Functions users access to function-related resources in the compartment that will own those resources:

    1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own Oracle Functions resources:
      1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

      2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-access).
    2. Specify a policy statement to give the group access to all function-related resources in the compartment:

      Allow group <group-name> to manage functions-family in compartment <compartment-name>

      For example:

      Allow group acme-functions-developers to manage functions-family in compartment acme-functions-compartment
    3. Click Create.

    Create a Policy to Give Oracle Functions Users Access to Network Resources

    When Oracle Functions users create a function or application, they have to specify a VCN and a subnet in which to create them. Users can only specify VCNs and subnets in compartments that the groups to which they belong have been granted access. To enable users to specify a VCN and subnet, you must create an identity policy to grant the groups access to the compartment.

    To create a policy to give Oracle Functions users access to network resources:

    1. Log in to the Console as a tenancy administrator and create a new policy in the compartment that will own network resources:
      1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

      2. Follow the instructions in To create a policy, and give the policy a name (for example, acme-functions-developers-manage-network-access).
    2. Specify a policy statement to give the group access to the network resources in the compartment:

      Allow group <group-name> to use virtual-network-family in compartment <compartment-name>

      For example:

      Allow group acme-functions-developers to use virtual-network-family in compartment acme-network
    3. Click Create.

    Create a Policy to Give the Oracle Functions Service Access to Network Resources

    When Oracle Functions users create a function or application, they have to specify a VCN and a subnet in which to create them. To enable the Oracle Functions service to create the function or application in the specified VCN and subnet, you must create an identity policy to grant the Oracle Functions service access to the compartment to which the network resources belong.

    To create a policy to give the Oracle Functions service access to network resources:

    1. Log in to the Console as a tenancy administrator.
    2. Create a new policy in the root compartment:
      1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

      2. Follow the instructions in To create a policy, and give the policy a name (for example, functions-service-network-access).
      3. Specify a policy statement to give the Oracle Functions service access to the network resources in the compartment:

        Allow service FaaS to use virtual-network-family in compartment <compartment-name>

        For example:

        Allow service FaaS to use virtual-network-family in compartment acme-network
    3. Click Create.

    Create a Policy to Give the Oracle Functions Service Access to Repositories in Oracle Cloud Infrastructure Registry

    The Oracle Functions service must have read access to images stored for functions in repositories in Oracle Cloud Infrastructure Registry. To enable the Oracle Functions service to access repositories in Oracle Cloud Infrastructure Registry, you must create an identity policy.

    To create a policy to give the Oracle Functions service access to repositories in Oracle Cloud Infrastructure Registry:

    1. Log in to the Console as a tenancy administrator.
    2. Create a new policy in the root compartment:
      1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.

      2. Follow the instructions in To create a policy, and give the policy a name (for example, functions-service-repos-access).
      3. Specify a policy statement to give the Oracle Functions service access to all repositories in the tenancy:

        Allow service FaaS to read repos in tenancy

        The above policy statement gives the Oracle Functions service access to all repositories in the tenancy. If you consider this to be too permissive, then you can restrict the repositories to which Oracle Functions has access by including a where clause in the read repos statement.

        For example, the following policy statement restricts Oracle Functions to accessing only repositories with names that start 'acme-web-app':

        Allow service FaaS to read repos in tenancy where all {target.repo.name=/acme-web-app*/ }
        						
    3. Click Create.