To enable users to perform operations for Oracle Cloud Infrastructure (OCI), Oracle Resource Manager configures the IAM permissions for API key-based authentication using the Commvault Cloud-provided Resource Manager template when you configure backups for OCI instances.
The Oracle Resource Manager template creates an IAM user (MetallicServiceAccount) in the IAM group (MetallicGroup). Then, it creates and assigns an IAM policy (MetallicPolicy) to the group. MetallicPolicy has the minimum permissions that are required to perform backup and restore operations.
Note
If you deploy OCI guest instances to compartments, you can back up and restore within the same compartment, assuming the guest instances and the backup gateway are located within the same compartment.
To back up and restore from/to different compartments (for example, from Compartment1 to Compartment2), you must add a policy that includes permissions to allow backups and restores between the two compartments. For example, the following policy gives permission for the VSA-Test compartment user group on the VSA-Dev compartment:
Allow group Group_VSA-Test to use manage boot-volume-backups in compartment VSA-Dev
Required Permissions
The following permissions are required.
At tenant level:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
|---|---|---|---|---|
|
compartments |
inspect |
Yes |
Yes |
Yes |
|
subnets |
use |
-- |
Yes |
-- |
|
tag-namespaces |
use |
Yes |
Yes |
-- |
|
vcns |
inspect |
-- |
Yes |
-- |
|
vnics |
use |
-- |
Yes |
-- |
Note
If the source instance is created using the marketplace image, allow group [group_name] to read app-catalog-listing in tenancy.
At compartment level for each source instance and for each future restored instance target compartments:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
BYOS Object Storage |
|---|---|---|---|---|---|
|
boot-volume-backups |
manage |
Yes |
Yes |
-- |
-- |
|
buckets |
create |
Yes |
Yes |
Yes |
Yes |
|
buckets |
PAR_MANAGE for Preauthenticated Requests |
-- |
-- |
Yes |
Yes |
|
buckets |
inspect |
Yes |
Yes |
-- |
Yes |
|
instance-images |
manage |
Yes |
Yes |
Yes |
-- |
|
instances |
manage |
Yes |
Yes |
Yes |
-- |
|
objects |
manage |
Yes |
Yes |
Yes |
Yes |
|
subnets |
use |
Yes |
Yes |
Yes |
-- |
|
vcns |
inspect |
Yes |
Yes |
Yes |
-- |
|
vnic-attachments |
inspect |
Yes |
Yes |
Yes |
-- |
|
vnics |
use |
Yes |
Yes |
Yes |
-- |
|
volume-attachments |
manage |
Yes |
Yes |
Yes |
-- |
|
volume-backups |
manage |
Yes |
Yes |
-- |
-- |
|
volumes |
manage |
Yes |
Yes |
Yes |
-- |
At the access node compartment level:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
|---|---|---|---|---|
|
instances |
use |
Yes |
Yes |
Yes |
|
volume-attachments |
manage |
Yes |
Yes |
Yes |
|
volumes |
use |
Yes |
Yes |
Yes |
Note
If the volume is secure, allow service blockstorage to use keys in compartment [compartment_name].