Locking a Snapshot
Lock a File Storage snapshot to prevent updates, moves, and manual deletions. Locks help protect resources against tampering.
A lock on a snapshot doesn't prevent the system from automatically deleting a snapshot with an expiration date. Expiring snapshots are still deleted, even if they have a resource lock.
OCI resource locks include the following types:
- Delete lock: Prevents deletion of the locked resource.
- Full lock: Prevents update, move, and deletion of the locked resource.
You can only add or remove one lock type at a time, but both locks can be applied to a resource. For example, you might initially apply a delete lock, but choose to apply a full lock at a later time.
The user who places a lock is the lock owner. Any authorized user with lock privilege or users with global manage permission of the tenancy has the authorization to create and remove any lock in the tenancy. You can override or remove locks.
Required IAM Policy
To create locks, in addition to permissions to manage the snapshot, you need permissions to manage locks.
To lock a snapshot, you must have RESOURCE_LOCK_ADD permissions.
- On the File Systems list page, select the file system that contains the snapshot that you want to work with. If you need help finding the list page or the file system, see Listing File Systems.
- On the details page, select Snapshots.
- Select the snapshot that you want to lock.
- On the snapshot's details page, next to Resource Locking, select Add.
- In the Add Lock dialog box, select the lock type and select Save changes.
Use the
oci fs snapshot addcommand and required parameters to lock a snapshot:oci fs snapshot add --snapshot-id <snapshot_OCID> --type <lock_type>For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the AddSnapshotLock operation to lock a snapshot.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.