Oracle Cloud Infrastructure Documentation

Resource Principal Policies

If using resource principal, for example with Spark streaming, you need specific policies in Data Flow.

You can add these policies for resource principal in three ways:

Use Policy Builder Data Flow Resource Principal Templates

Use the Data Flow templates in the policy builder to set your policies for resource principals.

Let Data Flow resource use Object Storage
Allow a dynamic-group to create and use objects in a specified Object Storage location. Create the policy in the tenancy.
Let Data Flow resource consume from Oracle Streaming
Allow a dynamic-group to consume from Oracle Streaming. Create the policy in the tenancy.
Let Data Flow resource write to Oracle Streaming
Allow a dynamic-group to produce to Oracle Streaming. Create the policy in the tenancy.

Use a Dynamic Group

Dynamic groups allow you to write more concise policies and reuse the same group. You can also refer to tags and limit a group to a particular Data Flow application.

  1. Specify the compartment to allow all Data Flow runs from:
    ALL {resource.type='dataflowrun', resource.compartment.id='<compartment_id>'}
    (Optional) You can limit to a specific Data Flow application within a compartment:
    ALL {resource.type='dataflowrun', resource.compartment.id='<compartment_id>', tag.oci-dataflow.application-id.value='<application_id>'}
  2. Allow the Data Flow resource principal to consume from a Streaming stream pool and an Object Storage bucket:
    ALLOW DYNAMIC-GROUP DF-IN-ROOT TO {STREAM_INSPECT, STREAM_READ, STREAM_CONSUME} IN TENANCY WHERE ANY {target.streampool.id = '<streampool_id>'}
ALLOW DYNAMIC-GROUP DF-IN-ROOT TO MANAGE OBJECTS IN TENANCY WHERE ANY {target.bucket.name = '<bucket_name>', target.bucket.name = '<bucket_name>'}

Use All-in-one Policy

All Data Flow runs from a specific compartment consume from a specific stream pool and an Object Storage bucket.

ALLOW ANY-USER TO {STREAM_INSPECT, STREAM_READ, STREAM_CONSUME} IN TENANCY WHERE ALL
 {request.principal.type='dataflowrun', request.resource.compartment.id = '<compartment_id>', target.streampool.id = '<streampool_id>'}
ALLOW ANY-USER TO MANAGE OBJECTS IN TENANCY WHERE ALL
 {request.principal.type='dataflowrun', request.resource.compartment.id = '<compartment_id>', target.bucket.name = '<bucket_name>'}