Permissions for Deploying Applications

This topic describes the IAM permissions required to deploy Generative AI applications in OCI. It outlines the access needed for users to create and manage applications and deployments, and the permissions required for applications to retrieve Docker images from OCIR.

About Deployments

Applications provide a managed runtime for Generative AI workloads, including scaling, storage, environment variables, networking (egress and endpoints), and authentication through an identity domain.
Deployments within an application specify an OCIR Docker image (called an artifact) for deploying the application.
Before deployment, OCI Vulnerability Scanning service scans the Docker image. Deployment fails if the scan finds any critical vulnerabilities.
Typical deployment workflow
1. Create an application.
2. Add a deployment.
3. Deploy the Docker image.

Required Permissions

Set up before creating applications.

For OCI Vulnerability Scanning service

Grant the service permission to read the repositories that store the Docker images so it can scan them before deployment.

For applications

Create a dynamic group for applications created in a specified compartment or the tenancy.
Grant the dynamic group permission to read OCIR repositories in the specified compartment.
Grant the dynamic group permission to read vulnerability scan results so the application can verify that the image passes scanning before deployment.

For users

Access to application resources.
Access to deployment resources.
Access to artifact resources (Docker images).

For OCI Vulnerability Scanning Service

Grant the service permission to read the repositories that store the Docker images so it can scan them before deployment.

allow service vulnerability-scanning-service 
to read compartments in compartment <compartement-with-repos>

allow service vulnerability-scanning-service 
to read repos in compartment <compartement-with-repos>

For OCI Generative AI Applications

Create a dynamic group for applications and their deployments that are created in the tenancy or a specified compartment.
Grant the dynamic group permission to read OCIR repositories in the specified compartment.
Grant the dynamic group permission to read vulnerability scan results so the application can verify that the image passes scanning before deployment.

Create a dynamic group for applications and deployments in the tenancy with the following matching rule:
```
all {resource.type='generativeaihostedapplication',
resource.type='generativeaihosteddeployment'}
```

To restrict the applications and their deployments to a specific compartment, update the previous condition to:

all {resource.type='generativeaihostedapplication',
resource.type='generativeaihosteddeployment',
resource.compartment.id='<your-compartment-OCID>'}

Create a policy to grant the dynamic group permission to read OCIR repositories in a specified compartment.
```
Allow dynamic-group <dynamic-group-name> 
to read repos in compartment <your-compartment-name>'}
```
Add another policy to grant the dynamic group permission to read vulnerability scan results so the application can verify that the image passes scanning before deployment.
```
 Allow dynamic-group <dynamic-group-name> 
to read vss-family in compartment <your-compartment-name>
```
If an agent needs to access other OCI resources, add a policy to read the resources of that service. For examples,

Example for agent access to Object Storage

Grant the hosted deployment permission to read from Object Storage in your compartment.
```
 Allow dynamic-group <dynamic-group-name> 
to read object-family in compartment <your-compartment-name>
```
For more examples, see Common Policies.

QuickStart Permissions for Users

To View the Resources

Add the minimal IAM policy to view applications, deployments, and artifacts.

allow group <your-group-name> 
to use generative-ai-hosted-application in compartment <your-compartment-name>

allow group <your-group-name> 
to use generativeaihosteddeployment in compartment <your-compartment-name>

To Manage Resources

If you create and delete applications, deployments and artifacts, add the manage permission:

allow group <your-group-name> 
to manage generative-ai-hosted-application in compartment <your-compartment>

allow group <your-group-name> 
to manage generativeaihosteddeployment in compartment <your-compartment>

Tip

The generative-ai-hosted-application and generativeaihosteddeployment resource types are included in the the generative-ai-family resource type.

If you have permission to the family, for example:

allow group <your-group-name> to manage generative-ai-family 
in compartment <your-compartment-name>

then, you don't need to add the permissions in this section.

API-Level Permissions

See User Access to Individual Resources for fine-grained, API-level permissions for each resource type.