Oracle Cloud Infrastructure and Dynamic Groups – what are they?

You might have seen dynamic groups mentioned when browsing through OCI console or when you’ve read the documentation. One of the most important things when creating services is handling access to specific services so that your access keys are not compromised.

This is one neat way of managing that in the cloud. Instead of storing keys and passwords on the server where your service is running on you can create a dynamic group which is then linked to specific instances you choose in your compartment. If you’ve used AWS earlier then similar configurations there are called instance profiles.

In OCI the dynamic group is then assigned a policy which determines what the instances in the group can access through API’s. You have option to use variety of different methods such as the OCI SDK’s, oci-cli or even Terraform! Some of the authentication methods are described here.

Testing Dynamic Groups

To test functionality of dynamic groups I’ve created one public instance in OCI and created dynamic group “dynamic-group-test” with a rule that all instances in specific compartment belong to that group. You have possibility to use rule builder for simple rules or then create more complex rules with exclusions or rules based on tags by typing them yourself.

 ALL {instance.compartment.id = 'ocid1.compartment.oc1..xxxxx'} 

After that I’ve created following policy under Policies:

Allow dynamic-group dynamic-group-test to manage buckets in tenancy

That’s a huge privilege to assign for a group! If you are doing a real implementation always go with the least privilege so your systems don’t get wide privileges by default. Even though managing security in cloud is in some ways made lot easier compared to on-premise world it’s one area what is still neglected due to doing it properly will take time and effort. So don’t be that person who skips it!

After logging to my server I installed oci-cli on it to see how can I access object storage. You can install oci-cli using following command:

bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

Why it’s not pre-installed in OCI compute instances or via yum package is beyond my understanding. Would be great if it gets added! To use oci-cli without doing the setup with your keys you need to use the flag –auth instance_principal.

If I want to query my namespace:

[opc@mydemoserver ~]$ oci os ns get --auth instance_principal
{
  "data": "simodemo"
}

But I can do more as I gave full access to object storage for this instance. So I’ll create a bucket in my compartment:

[opc@myjumpserver ~]$ oci os bucket create --name simo1 --compartment-id ocid1.compartment.oc1..xxxxx --auth instance_principal
{
  "data": {
    "approximate-count": null,
    "approximate-size": null,
    "compartment-id": "ocid1.compartment.oc1..xxxxx",
    "created-by": "ocid1.instance.oc1.eu-frankfurt-1.xxxxx",
    "defined-tags": {},
    "etag": "c77f88e7-1859-422e-af1b-fa1afd8defff",
    "freeform-tags": {},
    "kms-key-id": null,
    "metadata": {},
    "name": "simo1",
    "namespace": "simodemo",
    "object-lifecycle-policy-etag": null,
    "public-access-type": "NoPublicAccess",
    "storage-tier": "Standard",
    "time-created": "2019-04-01T14:56:54.841000+00:00"
  },
  "etag": "c77f88e7-1859-422e-af1b-fa1afd8defff"
}

Works like a charm! But can I do more with oci-cli now such as list all instances running in specific compartment?

[opc@myjumpserver ~]$ oci compute instance list --compartment-id ocid1.compartment.oc1..xxxxx --auth instance_principal
ServiceError:
{
    "code": "NotAuthorizedOrNotFound",
    "message": "Authorization failed or requested resource not found.",
    "opc-request-id": "BE3413852ED54B95BF9D724C3AAF2B99/21A0503F15C35E278F221214B346C541/3E184B8AAE7889A047C2B32753DECE94",
    "status": 404
}

Access is strictly restricted within those policies I give to the dynamic group. If I add following policy:

Allow dynamic-group dynamic-group-test to read instances in tenancy

I can then instantly query my compute instances without issues.

Summary

Using dynamic groups in OCI is great way to enhance your solution security and stop managing keys on the server side. Just think the access from the least privilege perspective so instances don’t get too wide permissions.

I think Oracle is cycling the keys automatically and they are only temporary when the instance needs them but I couldn’t yet find deeper info on that. If I get that information in the future I will update this post accordingly.

Dynamic groups should definitely be part of your strategy if you need to access OCI services from your instances.

Simo

View Comments

  • Again a great article! I am using the Dynamics Group for my grafana instance in OCI and works like a charm. Just so you know I have also added you to my blog roll on http://www.oc-blog.com, hope that is ok with you.

  • Hi ,
    I want to list all the instances/services created, not only compute.

    Is there any CLI or API for Oracle Cloud Infrastructure, which can list everything created on tenancy, with details like instance name, which user created it, and when.. kind of...
    [Service Limits, can get all in one go, but it will only give number of instances]

    Currently I am getting details like separate for Autonomous Databases, another for DB Systems, another for compute, another ... another...

    Please let me know, if we can get ALL INSTANCES DETAILS in one shot.

Recent Posts

Autonomous Database Audit Logs to Logging Service Part 1

I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…

5 days ago

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

2 months ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

2 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

6 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

6 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

6 months ago