Continuing on the series Back To Cloud Basics, I will now create a compartment, user, group, and policy for this group using OCI CLI.
The first thing that we should do is set up OCI CLI. I won’t go into this blog post on how to set it up, but you can go to this blog post I wrote several years ago on how to do it and get started, don’t forget to install JQ as well.
The first thing to do is to get a list of the compartments you currently have with the following command
oci iam compartment list –query “data[*].{Name:name,OCID:id,\”Parent OCID\”:\”compartment-id\”}” –output table –include-root
Rene@eclipsyss-mbp ~ % oci iam compartment list --query "data[*].{Name:name,OCID:id,\"Parent OCID\":\"compartment-id\"}" --output table --include-root
+---------------------------+-------------------------------------------------------------------------------------+---------------------------------------------------------------------------------+
| Name | OCID | Parent OCID |
+---------------------------+-------------------------------------------------------------------------------------+---------------------------------------------------------------------------------+
| reneantunezace | ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb | None |
| ManagedCompartmentForPaaS | ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb |
| reneacedev | ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb |
| reneacetest | ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb |
+---------------------------+-------------------------------------------------------------------------------------+---------------------------------------------------------------------------------+
You can choose the parent compartment where you will be creating it, if you choose the compartment where the Parent OCID is equal to none, it means that you will be creating the compartment in the root. The name must be unique across all compartments in the parent compartment. You can create it with the command below
oci iam compartment create –compartment-id [OCID] –name [Compartment Name] –description [Free Form Description]
Rene@eclipsyss-mbp ~ % export description="This is a test compartment for my blog post series on OCI Basics"
Rene@eclipsyss-mbp ~ % export parent_compartment="ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
Rene@eclipsyss-mbp ~ % export comp_name="reneaceiamblog"
Rene@eclipsyss-mbp ~ % oci iam compartment create --compartment-id $parent_compartment --name $comp_name --description $description
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "oracleidentitycloudservice/xxxxxxxxxx@gmail.com",
"CreatedOn": "2023-04-06T15:02:32.261Z"
}
},
"description": "This is a test compartment for my blog post series on OCI Basics",
"freeform-tags": {},
"id": "ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"inactive-status": null,
"is-accessible": true,
"lifecycle-state": "ACTIVE",
"name": "reneaceiamblog",
"time-created": "2023-04-06T15:02:32.359000+00:00"
},
"etag": "0d2b9cXXXXXXXe92f740c3XXXXXXXXXe017da411"
}
For the next part, we will be creating a user in our tenancy. The name for the user must be unique across all users in your tenancy and cannot be changed. As of this writing, I can’t create a federated user ( Users who log in to OCI via an identity provider) via OCI CLI.
Rene@eclipsyss-mbp ~ % export description="First user for my blog post series on OCI Basics"
Rene@eclipsyss-mbp ~ % export name="reneace@xxxxx.com"
Rene@eclipsyss-mbp ~ % export email="reneace@xxxxx.com"
Rene@eclipsyss-mbp ~ % oci iam user create --description $description --name $name --email $email
{
"data": {
...
"description": "First user for my blog post series on OCI Basics",
"email": "reneace@xxxxx.com",
"email-verified": false,
"external-identifier": null,
"freeform-tags": {},
"id": "ocid1.user.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"identity-provider-id": null,
"inactive-status": null,
"is-mfa-activated": false,
"last-successful-login-time": null,
"lifecycle-state": "ACTIVE",
"name": "reneace@xxxxx.com",
"previous-successful-login-time": null,
"time-created": "2023-04-06T15:26:50.283000+00:00"
},
"etag": "f1cb8fbf089a7b4bdb0f8887356c13fd74958c25"
}
We will now be creating a group in our tenancy. The group name must be unique across all groups in your tenancy and cannot be changed. We will be using this name or the OCID when writing policies that apply to the group. Once the group is created, we need to assign the user created above to the new group.
Rene@eclipsyss-mbp ~ % export description="This is a test group for my blog post series on OCI Basics"
Rene@eclipsyss-mbp ~ % export name="ocibasics"
Rene@eclipsyss-mbp ~ % oci iam group create --description $description --name $name
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
...
"description": "This is a test group for my blog post series on OCI Basics",
"freeform-tags": {},
"id": "ocid1.group.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "ocibasics",
"time-created": "2023-04-06T15:36:30.312000+00:00"
},
"etag": "8519ac6479b58e56fb3e69c9c490982a3ff0f550"
}
Now I will query the OCID for the newly created group and assign it to the user I initially created in this blog post. With this and with the user OCID, I will assign the user to the group. One of the things that you have to do for you to be able to add value is to remove quotation marks.
Rene@eclipsyss-mbp ~ % export group=`oci iam group list --query "data[?name == 'ocibasics'].{OCID:id}" | jq '.[].OCID' | tr -d '"' `
Rene@eclipsyss-mbp ~ % echo $group
ocid1.group.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rene@eclipsyss-mbp ~ % export user=`oci iam user list --query "data[?name == 'reneace@xxxxx.com'].{OCID:id}" | jq '.[].OCID' | tr -d '"' `
Rene@eclipsyss-mbp ~ % echo $user
ocid1.user.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rene@eclipsyss-mbp ~ % oci iam group add-user --group-id=$group --user-id=$user
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"group-id": "ocid1.group.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"id": "ocid1.groupmembership.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"time-created": "2023-04-06T16:05:45.182000+00:00",
"user-id": "ocid1.user.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
"etag": "8ac9ed49bab45b7f1db11f7715973ac7db6e46c9"
}
As the last step, I will now create a policy for the group ocibasics to be able to manage all resources in the reneaceiamblog compartment. The name you assign to the policy during creation. The name must be unique across all policies in the tenancy and cannot be changed. It is highly recommended that you use the json file for the statements that you will be adding.
Rene@eclipsyss-mbp ~ % export compartment=`oci iam compartment list --query "data[?name == 'reneaceiamblog'].{OCID:id}" | jq '.[].OCID' | tr -d '"'`
Rene@eclipsyss-mbp ~ % echo $compartment
ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Rene@eclipsyss-mbp ~ % export description="Grants ocibasics group full permissions on the reneaceiamblog compartment."
Rene@eclipsyss-mbp ~ % export name="OCIBasicsFullPerms"
Rene@eclipsyss-mbp ~ % oci iam policy create --compartment-id $compartment_id --description $description --name $name --statements file:///tmp/statements.json
{
"data": {
"compartment-id": "ocid1.compartment.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
...
"description": "Grants ocibasics group full permissionson the reneaceiamblog Compartment.",
"freeform-tags": {},
"id": "ocid1.policy.oc1..aaaaaaaaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "OCIBasicsFullPerms",
"statements": [
"Allow group ocibasics to manage all-resources in compartment reneaceiamblog"
],
"time-created": "2023-04-06T16:26:31.505000+00:00",
"version-date": null
},
"etag": "469379ed5d5eef02da76df6b7a8c39f09be2fcc1"
}
What we just went through is an example of how to create these resources, I hope that you follow the CIS OCI Foundations Benchmark, and create the compartments and groups below, you can have all these 4 compartments in an enclosing compartment, so this can be per application or line of business.
Hope this blog post helps you get started with IAM in OCI and as well with doing it with OCI CLI so that you can think about automation options with these commands.