Identity and Access Management Service

Advanced Module, June 2018

v1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Objectives

After completing this lesson, you should be able to:

• Create Instance Principals
• Write advanced Policies
• Federate OCI with Oracle Identity Cloud Service (IDCS)
• Design reference IAM Model for an Enterprise

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2

Instance Principals

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 3

Instance Principals
Instance Principals lets instances (and applications) to make API calls against other OCI
services removing the need to configure user credentials or a configuration file

• Current problem
• Storing API credentials on each instance
• Credential rotation
• Audits at instance level are impossible since credentials are same across hosts
• How does Instance principals solve the problem?
• Instance Principals gives instances their own identity, instances become a new type of Principal (in
addition to OCI IAM users/groups)
• Dynamic groups allows policy to be defined on instances
• In the Audit, you will see the instance Id making the API call

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 4

Instance Principals
• Authentication is at instance level
• Customers don’t do any credential management
• Authorization is done via Dynamic Groups
• Dynamic groups allow you to group OCI instances as principal actors, similar to user groups. Policy is set
at Dynamic Group level.
• Membership in the group is determined by a set of criteria called matching rules. Resources that match
the rule criteria are members of the dynamic group

• Services that support Instance Principals - Compute, Block Volume, Networking, Load
Balancing, Object Storage

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 5

Step1: create a Dynamic Group that matches a set of instances

Possible to exclude specific instances

from a Dynamic Group
All {instance.compartment.id =
'<compartment_ocid>', instance.id !=
'<instance1_to_exclude_ocid>', instance.id
!= '<instance2_to_exclude_ocid>'}

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 6

Step2: create a Policy dictating what permissions those instances
should receive

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 7

Step3: customer deploys code to an instance
OCI SDK/CLI is able to make calls to OCI APIs without customer configured credentials
[opc@webserver1 .oci]$ cat config
[DEFAULT]
user=ocid1.user.oc1..aaaaaaaag3635pdkcopjvcvljf7kmo7besxqzeqiry2wzawa4zqk2xkx4z7q
fingerprint=93:4f:c0:c3:26:3b:06:9f:c8:17:60:78:23:e1:1c:90
# key_file=/home/opc/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpaibasc6dotowv32hc2sbj4ph3ocxtfxhhva2hna
region=us-ashburn-1

[opc@webserver1 .oci]$ oci os ns get

ERROR: The config file at ~/.oci/config is invalid:

+Config Errors-------+--------------------------------------------------------+
| Key | Error | Hint |
+----------+---------+--------------------------------------------------------+
| key_file | missing | the full path and filename of the private PEM key file |
+----------+---------+--------------------------------------------------------+
[opc@webserver1 .oci]$

[opc@webserver1 .oci]$ oci os ns get --auth instance_principal

{
"data": "intoraclerohit"
}

Java and Python SDKs and Terraform also support Instance Principal authorization

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 8

How it works?
• The internal PKI Service issues X.509 certificates for every compute instance
• These compute instance certificates are signed by our internal CA and contain information about the
instance (instance Id, compartment Id, etc)
• If the OCI SDK/CLI can not find locally configured credentials, it will call the Instance Metadata service
and use the provided X.509 certificate to call the Identity Auth Service, getting back a token to use in
calling OCI APIs
• The Auth Service will verify the certificate was issued by us and issue a token with the key information
from the certificate
• Calls made using that token will be authorized against any matching policy (using the new "instances"
subject)
• The PKI Agent, running on the SmartNIC, will refresh the certificate periodically and the SDK, running on
the instance, will get a new token from the Auth Service as necessary

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 9

How it works?
• The certificate is rotated multiple times a day and customers cannot change the frequency
• You can use this Curl command to query the X.509 certificates, curl
http://169.254.169.254/opc/v1/identity/cert.pem

[opc@webserver1 .oci]$ curl

http://169.254.169.254/opc/v1/identity/cert.pem
-----BEGIN CERTIFICATE-----
MIIIPjCCBiagAwIBAgIQesV+WyeYgLqUxb4vSgrL/jANBgkqhkiG9w0BAQsFADCB
qTFzMHEGA1UECxNqb3BjLWRldmljZTo1NDo1Yjo4NTpiOTowMjo5Yjo4YTo4MDpl
YTo1MjoxNzo1MjozYjo1ZjowZjpmMzo1MTpkNjo1YzoxZjpmYTozYTo1MTo4OTow
ZDpjMTowNTo0MjphOTowYzplMTo4YjEyMDAGA1UEAxMpUEtJU1ZDIElkZW50aXR5
IEludGVybWVkaWF0ZSB1cy1hc2hidXJuLTEwHhcNMTgwNjE1MTc0MjU1WhcNMTgw
NjE1MTg0MjU1WjCCAbQxggFSMBwGA1UECxMVb3BjLWNlcnR0eXBlOmluc3RhbmNl
MGcGA1UECxNgb3BjLWluc3RhbmNlOm9jaWQxLmluc3RhbmNlLm9jMS5pYWQuYWJ1
d2NsanRrYWMyMjZzbDY1N3hsbHIzNWszaGozYWJra3I3dm9sd3BndWd6c3Nkdjd2

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 10

Competitive analysis
Credential Per instance Default Identity/ Instance
Feature Auto rotation
distribution creds identity instance groups
Instance
Oracle Yes Yes Yes Yes 1 Yes
Principals
IAM roles for
AWS Yes Yes Yes No 1 No
EC2
Service
Azure No No No No n/a No
Principals

• Credential Distribution: are credentials distributed to customer instances automatically by the service provider?
• Auto Rotation: are credentials automatically rotated by the service provider?
• Per Instance Creds: are credentials scoped to a single instance?
• Default Identity: does every instance receive credentials by default?
• Identity/Instance: how many identities can be provisioned by instance?
• Instance Groups: can identities be provisioned to entire sets of instances or must it be done instance-by-instance?

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 11

Advanced Policies

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 12

Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Syntax: group <group_name> | group id <group_ocid> | any-user

• Specify a single group by name

• Allow group A-Admins to manage all-resources in compartment Project-A

• Specify multiple groups

• Allow group A-Admins, B-Admins to manage all-resources in compartment Projects-A-and-B

• Specify group id
• Allow group id ocid1.group.oc1.. to manage all-resources in compartment Project-A

• Specify any user in the tenancy

• Allow any-user to inspect users in tenancy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 13

 Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Verb Type of access Aggregate resource-

Individual resource type
type
inspect Ability to list resources
all-resources
Includes inspect + ability to get database-family db-systems, db-nodes, db-homes, databases
read user-specified metadata/actual
resource instances, instance-images, volume-attachments,
instance-family
console-histories
Includes read + ability to work
use with existing resources (the object-family buckets, objects
actions vary by resource type)* virtual-network- vcn, subnet, route-tables, security-lists, dhcp-
Includes all permissions for the family options, and many more resources (link)
manage
resource volume-family Volumes, volume-attachments, volume-backups

* In general, this verb does not include the ability The IAM Service has no family resource-type, only individual ones; Audit and Load
to create or delete that type of resource Balancer have individual resources (load-balancer, audit-events)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 14

Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
Location Syntax: [ tenancy | compartment <compartment_name> | compartment id <compartment_ocid> ]

Conditions:
Syntax for a single condition: variable =|!= value

• 2 variable types: request (relevant to the request itself), and target (relevant to the resource(s) being acted upon in
the request)
• E.g. variable request.operation represents the API operation being requested (e.g. ListUsers); target.group.name
represents the name of the group
• variable name is prefixed accordingly with either request or target followed by a period. Examples
request.operation The API operation name being requested
request.permission The underlying permission(s) requested
request.region The key of the region the request is made in
request.user.id OCID of the requesting user
request.groups.id The OCIDs of groups requesting user is in
target.compartment.id The OCID of the compartment

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 15

Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
Conditions:
Syntax for a single condition: variable =|!= value
Type Types of value
String (single quotation marks are required around the value)
/HR*/ (matches strings that start w/ "HR")
Pattern /*HR/ (matches strings that end w/ "HR")
/*HR*/ (matches strings w/ "HR")

Syntax for multiple conditions: any|all {<condition>,<condition>,...}

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 16

Advanced Policy
• Policy for GroupAdmins group to manage any groups with names that start with "A-Users-"
• Allow group GroupAdmins to manage groups in tenancy where target.group.name = /A-Users-*/

• Policy for GroupAdmins group to manage the membership of any group besides the Administrators
group:
• Allow group GroupAdmins to use users in tenancy where target.group.name != 'Administrators'

• Policy lets A-Admins create, update, or delete any groups whose names start with "A-", except for the A-
Admins group itself
• Allow group GroupAdmins to manage groups in tenancy where all {target.group.name=/A-
*/,target.group.name!='A-Admins'}

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 17

Federation

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 18

Best Practices for securing IAM – IAM Federation
• Oracle recommends that you use federation to manage logins into the Console
• Enterprise administrator needs to set up a federation trust between the on-premises identity
provider (IdP) and IAM, in addition to creating mapping between on-premises groups and IAM
groups
• Federation is especially important for enterprises using custom policies for user authentication
(for example, multifactor authentication).
• When using federation, Oracle recommends that you create a federation administrators group
that maps to the federated IdP administrator group
• The federation administrators group will have administrative privileges to manage customer
tenancy, while being governed by the same security policies as the federated IdP
administrator group
• In this scenario, it is a good idea to have access to the local tenancy administrator user (that
is, member of the default tenancy administrator IAM group), to handle any break-glass type
scenarios (for example, inability to access resources through federation)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 19

Best Practices for securing IAM – IAM Federation
• Oracle recommends the following approach to securely managing the tenancy administrator
user:
a. Create a local user belonging to the default tenancy administrator group
b. Create a highly complex Console password or passphrase (18 characters or more, with at least one
lowercase letter, one uppercase letter, one number, and one special character) for the local tenancy
administrator user
c. Securely escrow the local tenancy administrator user password in an on-premises location (for
example, place the password in a sealed envelope in an on-premises physical safe)
d. Create security policies for accessing the escrowed password only under specific "break-glass"
scenarios
e. Have IAM security policy to prevent the federated administrators IAM group from adding or
modifying membership of the default tenancy administrator group to prevent security by-passes
f. Monitor audit logs for accesses by default tenancy administrator and changes to the administrator
group, to alert on any unauthorized actions
g. For additional security, the local tenancy administrator user password can be rotated after every
login, or periodically, based on a password policy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 20

Federation Demo

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 21

Reference IAM model for Enterprises

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 22

Reference IAM Model for an Enterprise

• Authentication and user management

• Authorization and resource management
• Compartments
• Federated Roles

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 23

Reference IAM Model: Authentication and user management
All access by humans go through federation with a customer's corporate identity provider (IdP) to leverage
their proven Auth mechanisms (MFA) and management capabilities (password complexity/rotation)
Use case Feature
Human using console Use SAML2.0 federation between corporate IdP and OCI IAM
Human using the CLI/SDK Create an OCI IAM user with an API signing key
Human using a PaaS/SaaS app Use SAML2.0 federation between corporate IdP and OCI IAM
Code running in OCI that calls OCI native APIs Use Instance Principals
Create an OCI IAM "user" with an API signing key. The "user" in this
Code running outside OCI that calls OCI APIs
case represents a software agent, not a human
• Create an OCI IAM user in the default Admins group
• Set a random Console password of sufficient length/complexity
• Store this password in a software password manager or physical safe
• Password is for infrequent use and should not be human memorizable
"Break-glass" access by a human when • Use once – rotate password after every use
federation fails • Monitor via CASB or Audit Service directly
• Alarm on any use or attempted use of "break-glass" user
• Outside the "break-glass" scenario, there is no reason to have an
OCI IAM user with a Console password

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 24

Reference IAM Model: Compartments

• Compartments are the most effective mechanism for grouping resources when different
permissions should be applied to them
• Keep the following in mind when you create a compartment and assign resources:
• Every resource should belong to a compartment but resources can be
connected/shared across compartments
• A resource can't be reassigned to a different compartment after creation
• A compartment can't be deleted after creation
• We recommend using a separate compartment for network resources of differing
security levels and for each team/project

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 25

Reference IAM Model: Compartments

• Compartment: NetworkInfra
• Critical network infrastructure that should be centrally
managed by network admins
• Resources: Security Lists, Internet Gateways, DRGs, the top-
level VCN(s), etc.
• Compartment: ProdNetwork
• Production environment that may or may not be centrally
managed but is typically under change management
• Modeled as a separate compartment to easily write policy
about who can use (i.e. attach resources to) the network
• Optionally Databases and Storage may be included here
depending on whether they are shared resources or not
• Resources: Subnets, (Databases), (File Storage)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 26

Reference IAM Model: Compartments

• Compartment: TestNetwork
• Integration test environment that may or may not be centrally
managed and may or may not be under change management
• Modeled as a separate compartment to easily write policy
about who can use (i.e. attach resources to) the network
• Optionally Databases and Storage may be included here
depending on whether they are shared resources or not
• Resources: Subnets, (Databases), (File Storage)
• Compartment: DevNetwork
• Development environment that is typically managed in a
distributed fashion to allow for agile development &
deployment
• Modeled as a separate compartment to easily write policy
about who can use (i.e. attach resources to) the network
• Resources: Subnets

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 27

Reference IAM Model: Compartments

• Compartment: ProjectXYZ
• The resources used by a particular team or project; separated
for the purposes of distributed management
• Resources: Compute Instances, Databases, Object Storage
Buckets, Block Volumes, etc.
• There will be multiple of these, one per team that needs it's
own DevOps environment

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 28

Reference IAM Model: Compartments
Tenancy
Groups
Groups
NetworkAdmins (John)
A-Admins (Tom)

ProjectA

• Allow group A-Admins to USE virtual-network-family

• Allow group NetworkAdmins to MANAGE virtual-network-
in compartment NetworkInfra
family in compartment NetworkInfra
• Allow group A-Admins to manage all-resources in
• Allow group NetworkAdmins to manage instance-family in
compartment ProjectA
compartment NetworkInfra

• John creates a Network in NetworkInfra compartment • Tom launches instances in ProjectA using the VCN in
• John can't terminate, reboot or launch new instances NetworkInfra compartment
into ProjectA compartment • Tom cannot launch instance inside the NetworkInfra
compartment

The instances Tom launched reside in the VCN from a network topology standpoint but from an access standpoint,
they're in the ProjectA compartment, not the NetworkInfra compartment where the VCN is

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 29

Reference IAM Model: Federated Roles

• Federated Roles is a set of OCI IAM groups that reflect roles within the organization.
• Federated Roles should be mapped to federated groups in a customer's corporate
directory. Group names do not have to match between OCI IAM and the corporate directory
but it's easier if they do

• Group: GlobalAdmins
• Group: IAMAdmins
• Group: NetworkAdmins
• Group: StorageAdmins
• Group: DBAdmins
• Group: ComputeAdmins
• Group: ProjectXYZOperators

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 30

Reference IAM Model: Federated Roles
• Group: GlobalAdmins
• Tenancy-level policy:
allow group GlobalAdmins to manage all-resources in tenancy

• Only for enterprises with a notion of root or global admins already, otherwise omit in favor of the more
specialized admin groups below

• Group: IAMAdmins
• Tenancy-level policy: Note that there is no "family" resource type for IAM, hence the very explicit policy

allow group IdentityAdmins to manage compartments in tenancy

allow group IdentityAdmins to manage users in tenancy
allow group IdentityAdmins to manage groups in tenancy
allow group IdentityAdmins to manage dynamic-groups in tenancy
allow group IdentityAdmins to manage policies in tenancy
allow group IdentityAdmins to manage identity-providers in tenancy
allow group IdentityAdmins to manage tenancy in tenancy
allow group IdentityAdmins to manage tag-namespaces in tenancy
allow group IdentityAdmins to manage tag-definitions in tenancy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 31

Reference IAM Model: Federated Roles
• Group: NetworkAdmins
• Tenancy-level policy:
allow group NetworkAdmins to manage virtual-network-family in tenancy
allow group NetworkAdmins to manage load-balancers in tenancy
allow group NetworkAdmins to manage dns in tenancy

• Group: StorageAdmins
• Tenancy-level policy:
allow group StorageAdmins to manage object-family in tenancy
allow group StorageAdmins to manage volume-family in tenancy
allow group StorageAdmins to manage file-systems in tenancy
allow group StorageAdmins to manage mount-targets in tenancy
allow group StorageAdmins to manage export-sets in tenancy

• Group: DBAdmins
• Tenancy-level policy:
allow group DBAdmins to manage database-family in tenancy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 32

Reference IAM Model: Federated Roles
• Group: ComputeAdmins
• Tenancy-level policy:
allow group ComputeAdmins to manage instance-family in tenancy

• Group: ProjectXYZOperators
• Project-level policy:
allow group ProjectXYZOperators to manage instance-family in compartment ProjectXYZ
allow group ProjectXYZOperators to manage volume-family in compartment ProjectXYZ
allow group ProjectXYZOperators to manage database-family in compartment ProjectXYZ

• Network level policy:

allow group ProjectXYZOperators to use virtual-network-family in compartment DevNetwork

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 33

Summary
You should now be familiar with the following
• Using Instance principals for your applications
• Advanced Policy Syntax
• Federating OCI with Oracle Identity Cloud Service (IDCS)
• Reference IAM model

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 34