There are lots of wrong and right articles in internet, when you try to execute Hands-on Labs by yourself, there is chance that you could get drifted away or get severely confused, We strictly adhere to Official Oracle Cloud Documentation, offering you reliable and precise information without personal interpretations. This means you can trust our content 100% Genuine.
Prerequisites
Before you start the Lab kindly ensure that you have the following:- An active OCI account.
- you must have Cloud Administrator permissions to complete this task, Thus you make sure to Login with your default tenancy account or with any Cloud Account Administrator (if Available).
Lab Task :
Set IAM Policy Granting a User full permissions to use CloudShell (in Public Network).
Lab Task Flow
- A user with full administrator permissions (Previous Emergency User Lab)
- A user with permissions to use one compartment only (Previous daytoday User Lab)
- Policy Scope (Click here)
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Under List Scope, ensure that you are in your root compartment.
- Under the List of Policies choose the Required Policy Name in which change should be made.
- In our Case the Policy Name is Demo1policy
- Inside the Policy, under the Statements click Edit Policy Statement button, This will open a Edit Policy Statements page.
- Now in the Policy Builder option choose Basic
- Click Another Statement button
- Copy Paste the Below policy into the Text box
- Click Save Changes button
- OCI Service Network: this is the default mode, and provides access only to other OCI resources in your home region for your tenancy
- Cloud Shell Public Network: this networking mode allows access to the public internet, but must be enabled by your adminstrator
- Private Network Access: a configurable network that allows you to access resources in your private network without having the network traffic flow over public networks
Task 1: Understanding the Senario
There are two basic types of users:
By default, any OCI tenancy has a tenancy administrator (default root compartment administrator) is any user who is a member of the default Administrators group. Once compartments are created, they are assigned to their own administrators who can then create sub-compartments and assign delegated administrators to each of them.
Now as a Cloud Account Administrator User you have created New User with permissions to use one compartment only, and the New user Compalings to you that he can't open CloudShell and says it shows Below image when he try to do so.
Task 2: Understanding the Previously Assigned policy
In our (Previous Lab) we have assigned only the below Policy Statement for the New Use we created.
Allow group Demo1group to manage all-resources in compartment DemoComp1
Though this statement grants members of the Demo1group full access to the DemoComp1 compartment, it does not grat permission to the User for using CloudShell, you need to add another Specific New policy Statement for it.
Cloud Shell does not support policies at the compartment level, only at the tenancy level.
Task 3: Understanding Policy Scope
Policies can be scoped to Tenancy Only not to a Compartment
Now as a Cloud Account Administrator User you have created New User with permissions to use one compartment only, and the New user Compalings to you that he can't open CloudShell and says it shows Below image when he try to do so.
Task 4: Update a New Policy Statement
Login with your default Tenancy account or as a Cloud Account Administrator,
Allow group Demo1group to use cloud-shell in tenancy
Allow group Demo1group to use cloud-shell-public-network in tenancy
Public network IAM policies and Security Zone policies may take up to 24 hours to take effect for existing Cloud Shell Sessions. You can enact policy updates immediately by restarting your Cloud Shell from the Actions menu.
Detailed Video Explanation of this Lab:
Required concept knowledge
Different types of CloudShell Connections
The networking mode for your Cloud Shell session depends on how your administrator has configured your Identity policy.
Conclusion
Setting up Correct Policies in Proper Synatax and Scope will ensure safety.
Reference
Stay tuned for more posts on managing your OCI resources effectively! Happy cloud computing!