Task 1: Prerequisites for Oracle Database@AWS

This topic explains the prerequisites required to begin onboarding with Oracle Database@AWS.

Prerequisites List

1: Permissions for Onboarding and Provisioning

Many of the tasks you perform during Oracle Database@AWS onboarding require permissions in either AWS or the OCI cloud. Expand Permissions by User Persona for Oracle Database@AWS in this section to see a table which details the permissions you need for each task of the onboarding process, and for provisioning operations after you onboard. Before you begin onboarding, identify the individuals in your organization with the permissions in the following section and ensure they're available to complete the corresponding steps in the Permissions by User Persona for Oracle Database@AWS table in this topic.

Granting OCI IAM Permissions for Oracle Database@AWS

For the OCI tenancy, users who are tenancy administrators don't need extra permissions for the tasks listed in the table in this topic. Users who aren't tenancy administrators need to be part of a group that's assigned the policy statements in the table. To grant users the required permissions:

Create a new group in the default domain, or use an existing group. See Creating a Group for more information.
Create a policy in the root compartment with the required policy statements, specifying the group created in the previous step in the policy statements. See Creating a Policy for more information.
Add users to the group. See Adding Users to a Group for more information.

AWS IAM Permissions

For AWS account permissions, if the user is an AWS account administrator, then no extra permissions are required for the steps outlined in the table in this topic. If the user isn't an AWS account administrator, then user must have extra permissions. The policies described in the following table are examples that contain the required AWS IAM Actions needed to perform the steps. See the following topics in the AWS documentation for instructions on creating policies using the JSON editor and assigning policies to a user:

Important

AWS service control policies (SCPs) and AWS permissions boundaries set at the organizational level can both override permissions granted to users as described in this topic. When this happens, onboarding and provisioning operations can fail for users, even though they otherwise have the required permissions for Oracle Database@AWS. To resolve such a provisioning failure, work with your organization-level AWS administrators to change the SCPs or permissions boundaries to allow the user to performing the required actions.

See the following topics in the AWS documentation for more information:

Service control policies (SCPs) (AWS User Guide)
Permissions boundaries for IAM entities (AWS User Guide)
Evaluating identity-based policies with resource-based policies (AWS User Guide)

Creating a JSON Policy for Oracle Database@AWS Onboarding Permissions

For users who aren't administrators, create a policy to assign permissions required for onboarding with Oracle Database@AWS. A JSON policy for assigning permissions is structured as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<policy_name>",
            "Effect": "Allow",
            "Action": [
                "<action_1>",
                "<action_2>"
            ],
            "Resource": "*"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AcceptOffer",
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe",
                "aws-marketplace:ListPrivateListings",
                "aws-marketplace:ListAgreementCharges",
                "aws-marketplace:AcceptAgreementRequest",
                "odb:AcceptMarketplaceRegistration",
                "odb:GetOciOnboardingStatus"
            ],
            "Resource": "*"
        }
    ]
}


Task	Cloud	Personas	Permissions
Task 2: Request Private Offer	AWS	AWS administrator	No permissions required for this task
Task 3: Purchase Offer - private offer	AWS	AWS administrator	AWS IAM: If the user isn't an administrator, assign the permissions shown in Example permission for Task 3: Purchase Offer. AWS Permissions: aws-marketplace:ViewSubscriptions aws-marketplace:Subscribe aws-marketplace:ListPrivateMarketplaceRequests aws-marketplace:DescribePrivateMarketplaceRequests aws-marketplace:ListPrivateListings odb:GetOciOnboardingStatus
Task 4: Link an OCI Account	OCI	OCI Administrator	OCI IAM: If the user isn't an OCI tenancy administrator, the user needs to be in a group with the following policy statements: Allow group `<group_name>` to manage all-resources in tenancy If you create a new tenancy during onboarding, the user performing the onboarding will become the OCI tenancy administrator.
Task 5: Verify the Subscription, Limits, and Compartments in OCI	OCI	OCI Administrator	OCI IAM: If the user isn't an OCI tenancy administrator, the user needs to be part of a group that has been granted the following policy statements: Allow group `<group_name>` to read subscription in tenancy Allow group `<group_name>` to read compartments in tenancy Allow group `<group_name>` to read limits in tenancy Allow group `<group_name>` to read quotas in tenancy
Task 6: Register with My Oracle Cloud Support	OCI	OCI Administrator	OCI Support Owner

Tip

If you're provisioning Exadata Services, see Task 1: Prerequisites for AWS in the Exadata Services for AWS section of this documentation for information on permissions needed for Exadata provisioning.

2: AWS Account

When accepting a private offer, ensure that you choose the AWS account where you plan to provision database resources. The AWS account you select for onboarding with Oracle Database@AWS receives billing account for the Oracle Database@AWS subscription.

The AWS account must be subscribed to the AWS region where Oracle Database@AWS resources will be provisioned. See Regional Availability for Oracle Database@AWS for supported regions. Similarly, the OCI tenancy must be subscribed to the OCI region paired with the AWS region.

Note

To receive a private offer for Oracle Database@AWS, Oracle requires your AWS account ID. Provide the ID of the specific AWS account where you plan to provision database resources.

3: An Oracle Cloud Infrastructure (OCI) Account

For private offer purchases, if you have an existing Oracle Cloud Infrastructure (OCI) account, you can connect it to Oracle Database@AWS during in the onboarding process. Otherwise, you can create a new OCI account to link later in the process. The OCI tenancy must be subscribed to the OCI region that is paired with the AWS region where resources will be provisioned.

For example, if you're provisioning Oracle Database@AWS resources in the AWS region US East (N. Virginia), your OCI tenancy must be subscribed to OCI's US East (Ashburn) region, which is paired with US East (N. Virginia).

See Regional Availability for Oracle Database@AWS for supported regions.

What's Next?

Continue onboarding with Task 2: Request a Private Offer.

Oracle Cloud Infrastructure Documentation