Policies for Compute Service and Oracle Cloud Agent
To allow Disaster Recovery (DR) to manage compute instances during DR, you must set up policies for Compute Instances and for Oracle Cloud Agent.
Policies for Compute Instances
Shows how to allow Disaster Recovery (DR) to manage compute instances that are part of the application stack.
Allow group DrAdmins to manage instance-family in compartment compartment_nameTo know more about the Identity and Access Management (IAM) policies for compute instances, refer Details for the Core Services.
Policies for Oracle Cloud Agent
Shows how to allow Disaster Recovery (DR) to manage and use Oracle Cloud Agent on compute instances that are part of the application stack.
To correctly configure Oracle Cloud Agent for use by Disaster Recovery:
- Create a new dynamic group and add the compute instance to this new dynamic group or add the compute instance to an existing dynamic group. You can also add the compartment containing the instance to the dynamic group. A dynamic group allows you to group instances based on rules, which can then be assigned policies. See Creating Dynamic Groups and Managing Dynamic Groups.
Any {instance.compartment.id = 'ocid1.compartment.oc1..comp1', instance.compartment.id = 'ocid1.compartment.oc1..comp2'} - Create IAM policies associated with this dynamic group. This IAM policy defines what actions the dynamic group (and thus the instances) can perform. See Writing Policies for Dynamic Groups
Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to use instance-agent-command-execution-family in compartment <compute_compartment> Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to use instance-agent-command-family in compartment <compute_compartment> Allow dynamic-group <identity_domain_name>/<Dynamic_group_Name> to manage objects in compartment <compute_compartment> - Configure administrator privileges on the instance so that run command can execute commands as the
rootuser on Linux, oradministratoruser on Windows.