Overview of IAM in Oracle Cloud Infrastructure
by Rackspace Technology Staff
This blog post introduces the Oracle® Cloud Infrastructure (OCI) Identity and Access Management (IAM) components and shows some features that help you to manage Oracle cloud resources.
The post identifies the types of access for specific resources that you can assign to a group of users and how you can federate OCI with Oracle Identity Cloud Service
(IDCS).
Components of IAM
IAM includes the following components:
- Resource: A resource is an object created in OCI, such as Compute instances, blocks, virtual cloud networks (VCNs), and subnets.
- User: A user is assigned to a group that provides limited privileges and access to OCI resources according to the tenancy and compartment policies for the group.
- Group: A group is a collection of users that have access to the same OCI resources. A user can be a member of one or more groups.
- Dynamic group: A dynamic group provides security and enables you to manage keys on the client side rather than the server side. A dynamic group can link specific instances in the compartment. You can assign a policy to a dynamic group to provide access to a specific instance to access through an application programmer interface (API).
- Compartment: A compartment is a global logical container where you can enforce the policies and provide control access to Compute, Storage, Network, Load Balancer, and other resources. For example, you can use a policy to restrict users, other than administrators, from using the resources created in that compartment.
- Tenancy: A tenancy is the default root compartment and contains all OCI resources. Within the tenancy, administrators can create one or more compartments, users, and groups. The administrators can then assign policies that allow groups to use resources within a compartment.
- Policy: A policy defines who can access resources at group and compartment levels with the following access levels:
- Inspect
- Read
- Use
- Manage
- Region: A region is a geographical location in which IAM resources reside. IAM service resources are global and can have a single tenancy across multiple regions. Oracle propagates changes made in the home region to all the regions.
- Federation: A federation is a mechanism between two or more parties acting as an identity provider and service provider. It manages users and groups in the identity provider. IDCS provides federation for OCI by default.
IAM resources
This section describes the source of resources, resource identifiers, and resource limits.
Scope of resources
Because IAM defines resources as global, they are available across all the
regions and availability domain components.
Resource identifiers
An OCI resource uses a unique name (OCID) with the following syntax:
ocid1.<resource-type>.<realm>.[region][.future-use].<unique-ID>
The OCID placeholders include the following elements:
- ocid1: OCID version.
- resource-type: The type of resources, such as instance, volume, VCN, subnet, user, or group.
- realm: The realm contains a set of regions and shares entities with
availability domains. A realm can have the following values:
- oc1: commercial realm
- oc2: Government Cloud realm
- oc3: Federal Government Cloud realm.
Resource limits
An IAM limit is the IAM resources quota that controls the maximum number of
Compute instances in the availability domain.
To view the tenancy's limits and usage by region, perform the following steps:
- Open the IAM console.
- Open the User menu and click Tenancy.
- Click Service Limits.
When an instance reaches the service limit for a specific resource, you can submit a request to increase the service limit and create new resources as needed.
1. Open the Help menu, go to Support, and click
Request service limit increase.
<ol start=2>
<li>Enter the following details:
<ul padding-bottom: 0;">
<li style="margin-left:2em">Primary contact details</li>
<li style="margin-left:2em">Service category</li>
<li style="margin-left:2em">Resource</li>
<li style="margin-left:2em; padding-bottom: 0;">Reason for the request</li>
</li>
</ol>
<ol start=3>
<li>Click <b>Submit Request</b>.</li>
</ol>
Federate with identity providers
OCI supports federation for the following components and identity providers:
- IDCS
- Microsoft®; Active Directory®
- Microsoft Azure® Active Directory
- Okta®
- Identity providers that support Security Assertion Markup Language (SAML) 2.0 protocol
In the examples in this blog post, I use IDCS as the identity provider.
Steps to federate with IDCS
Perform the following steps to federate with IDCS:
Step 1: Get the required information from IDCS
- Log in to the OCI IDCS console with admin privileges.
- In the IDCS console, click Applications.
- Click COMPUTEBAREMETAL.
- Click Configuration.
- Expand General Information to display the Client ID.
- Click Show Secret to see the Client Secret.
- Save the Client ID and the Client Secret.
Step 2: Add the identity provider in OCI
1. Sign in to the console with your OCI login credentials.
2. Open the Governance and Administration navigation menu and click Identity -> Federation.
3. Click Add identity provider.
<ol start=4>
<li>Enter the following details:
<ol style="list-style-type: lower-alpha; padding-bottom: 0;">
<li style="margin-left:2em"><b>Name</b>: The name must be unique
across all identity providers. Oracle adds the name to the tenancy,
and you cannot modify it.</li>
<li style="margin-left:2em"><b>Description</b>: A clear description.</li>
<li style="margin-left:2em"><b>IDCS Base URL</b>: The resource URL.</li>
<li style="margin-left:2em"><b>Client ID</b>: The client identifier
that you collected previously.</li>
<li style="margin-left:2em; padding-bottom: 0;"><b>Client secret</b>:
The client secret that you previously collected.</li>
</ol>
</li>
<li>Click <b>Show Advanced Options</b> and enter the following details:
<ol style="list-style-type: lower-alpha; padding-bottom: 0;">
<li style="margin-left:2em"><b>Encrypt Assertion</b>:
Select the checkbox to enable encryption from the IDP. If you do not select
this checkbox, you must set up encryption of the assertion in IDCS.</li>
<li style="margin-left:2em; padding-bottom: 0;"><b>Tags</b>: You can
also apply tags if you have permission to create a resource. To
apply a defined tag, you must have permission to use the tag
namespace.</li>
</ol>
</li>
<li>Click <b>Continue</b>.
<li>Define the mappings between IDCS groups and IAM groups in OCI. You can
map IDCS groups to zero, one, or multiple IAM groups, and vice versa.</li>
</ol>
The Federation page now shows the identity provider in the tenancy list. Oracle assigns the OCID to each group mapping.
Step 3: Set up the IAM policies for the groups
Follow your standard procedure to set up the IAM policies for the groups.
Step 4: Give the federated users the tenant and URL
Provide the federated users with the name of the tenant and the sign-in URL. The URL should be similar to the following example:
https://console.us-cshburn-1.oraclecloud.com
Manage identity providers in the console
This section provides the steps to delete an identify provider and to add, update, or delete group mappings for IDCS.
Delete an identity provider
To delete an identity provider, perform the following steps:
<ol>
<li>Delete the Identity Provider from the tenancy.
<ol style="list-style-type: lower-alpha; padding-bottom: 0;">
<li style="margin-left:2em">Open the <b>Governance and Administration</b>
navigation menu and click <b>Identity -> Federation</b> to see the
list of Identity Providers in the tenancy.</li>
<li style="margin-left:2em">Click on the Identity Provider that you
want to delete to view its details.</li>
<li style="margin-left:2em; padding-bottom: 0;">Click <b>Delete</b>
and confirm.</li>
</ol>
</li>
<li>Delete the tenancy from the IDCS account.
<ol style="list-style-type: lower-alpha; padding-bottom: 0;">
<li style="margin-left:2em">Open the IDCS console and sign in to the
federated account.</li>
<li style="margin-left:2em">Click <b>Applications</b> to display the
list of applications.</li>
<li style="margin-left:2em">Find the tenancy and click on its name
to view the details page.</li>
<li style="margin-left:2em">Click <b>Deactivate</b> and confirm.</li>
<li style="margin-left:2em; padding-bottom: 0;">Click <b>Remove</b>
and confirm.</li>
</ol>
</li>
</ol>
Add group mappings for IDCS
To add group mappings for IDCS, perform the following steps:
1. Open the Governance and Administration navigation menu and click Identity to display a list of the identity providers in the tenancy.
2. Click Federation and click on the IDCS federation name to view its details.
3. Click Edit Provider Details.
<ol start=4>
<li>Add at least one mapping.
<ol style="list-style-type: lower-alpha; padding-bottom: 0;">
<li style="margin-left:2em">Click <b>+ Add Mapping</b>.</li>
<li style="margin-left:2em">Select an IDCS group from the
<b>Identity Provider Group</b> list.</li>
<li style="margin-left:2em">Select the <b>IAM group</b> to get the
list of OCI Groups.</li>
<li style="margin-left:2em; padding-bottom: 0;">Select <b>New OCI Group</b>
to create a new OCI group in IAM, rather than a new IAM group, and
map the new OCI group to the IDP group.</li>
</ol>
</li>
<li>Repeat step 4 for each mapping and click <b>Submit</b> after you have
added all the mappings.</li>
</ol>
Update or delete a group mapping
To update or delete a group mapping, perform the following steps:
1. Open the Governance and Administration navigation menu and click Identity -> Federation to display the list of Identity Providers in the tenancy.
2. Click on an Identity Provider to see the details.
3. Click Edit Mapping.
4. Update the mappings or click on X to delete the mapping.
5. Click Submit
Conclusion
This blog post describes how different IAM components work together and how you can federate multiple IDCS accounts in OCI.
Recent Posts
Google Cloud Hybrid Networking Patterns — Part 1
October 17th, 2024
Google Cloud Hybrid Networking Patterns — Part 3
October 17th, 2024
Google Cloud Hybrid Networking Patterns — Part 2
October 17th, 2024
How Rackspace Leverages AWS Systems Manager
October 9th, 2024
Windows Server preventing time sync with Rackspace NTP
October 7th, 2024