To enable users to perform operations for Oracle Cloud Infrastructure (OCI), Oracle Resource Manager configures the IAM permissions for API key-based authentication using the Metallic-provided Resource Manager template when you configure backups for OCI instances.
The Oracle Resource Manager template creates an IAM user (MetallicServiceAccount) in the IAM group (MetallicGroup). Then, it creates and assigns an IAM policy (MetallicPolicy) to the group. MetallicPolicy has the minimum permissions that are required to perform backup and restore operations.
Required Permissions
At tenant level:
Resource | Level | Backup | Recovery | VM Conversion |
|---|---|---|---|---|
compartments | inspect | Yes | Yes | Yes |
subnets | use | -- | Yes | -- |
vcns | inspect | -- | Yes | -- |
vnics | use | -- | Yes | -- |
At compartment level for each source instance and for each future restored instance target compartments:
Resource | Level | Backup | Recovery | VM Conversion | BYOS Object Storage |
|---|---|---|---|---|---|
boot-volume-backups | manage | Yes | Yes | -- | -- |
buckets | create | Yes | Yes | Yes | Yes |
buckets | PAR_MANAGE for Preauthenticated Requests | -- | -- | Yes | Yes |
buckets | inspect | Yes | Yes | -- | Yes |
instance-images | manage | Yes | Yes | Yes | -- |
instances | manage | Yes | Yes | Yes | -- |
objects | manage | Yes | Yes | Yes | Yes |
subnets | use | Yes | Yes | Yes | -- |
vcns | inspect | Yes | Yes | Yes | -- |
vnic-attachments | inspect | Yes | Yes | Yes | -- |
vnics | use | Yes | Yes | Yes | -- |
volume-attachments | manage | Yes | Yes | Yes | -- |
volume-backups | manage | Yes | Yes | -- | -- |
volumes | manage | Yes | Yes | Yes | -- |
At the backup gateway compartment level:
Resource | Level | Backup | Recovery | VM Conversion |
|---|---|---|---|---|
instances | use | Yes | Yes | Yes |
volume-attachments | manage | Yes | Yes | Yes |
volumes | use | Yes | Yes | Yes |