Resource Principals
DB systems can use resource principals to authenticate and access other Oracle Cloud Infrastructure resources. To use resource principals, you or your tenancy administrator must define the Oracle Cloud Infrastructure policies and dynamic groups that allows principals to access Oracle Cloud Infrastructure resources.
Resource principal is used in the following HeatWave Service features:
- Bring your own certificate: Allows DB systems to read the certificates defined in Oracle Cloud Infrastructure (OCI) Certificates Service.
- HeatWave Lakehouse: Allows DB systems to read data from Object Storage.
- Exporting query results to Object Storage: Allows HeatWave service to export query results to Object Storage.
- Accessing OCI Generative AI Service: Allows HeatWave GenAI to use any pretrained foundational models available in OCI Generative AI Service.
Resource principals have two components:
Dynamic Groups
Dynamic groups allow you to group HeatWave Service DB systems as principal actors, similar to user groups.
You can then create policies to permit DB systems in the dynamic groups to make API calls against Oracle Cloud Infrastructure services, such as Certificates or Object Storage. Membership in the group is determined by a set of criteria you define, called matching rules.
"ALL{resource.type='mysqldbsystem', resource.compartment.id = 'ocid1.compartment.oc1..alphanumericString'}"For more information, see Writing Matching Rules to Define Dynamic Groups.
Dynamic groups require a name, description, and matching rule. See Creating a Dynamic Group.
Policies
Policies define what your groups or dynamic groups can and cannot do.
Defining a Policy for Bring Your Own Certificate
For DB systems to access certificates from the Certificates Service, you must define a policy which allows the dynamic group to read the certificates.
Allow dynamic-group MYSQL_DG to read leaf-certificate-family in compartment C8Defining a Policy for HeatWave Lakehouse
For HeatWave Lakehouse to access Object Storage, you must define a policy which allows the dynamic group to access to buckets and their contents.
Allow dynamic-group MYSQL_DG to read buckets in compartment C8
Allow dynamic-group MYSQL_DG to read objects in compartment C8Defining a Policy for Exporting Query Results to Object Storage
To allow HeatWave to export query results to Object Storage, the policy must grant permissions to create and delete objects in the bucket to the dynamic group.
Allow dynamic-group MYSQL_DG to read buckets in compartment C8
Allow dynamic-group MYSQL_DG to manage objects in compartment C8 where
any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT',
request.permission='OBJECT_DELETE'}Allow dynamic-group MYSQL_DG to read buckets in compartment C8
Allow dynamic-group MYSQL_DG to manage objects in compartment C8 where
all {target.bucket.name='BucketA',
any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT',
request.permission='OBJECT_DELETE'} }Defining a Policy for Accessing OCI Generative AI Service
For HeatWave GenAI to use any pretrained foundational models available in OCI Generative AI, you must define a policy which allows the dynamic group to accesss OCI Generative AI service.
Allow dynamic-group MYSQL_DG to use generative-ai-chat in compartment C8
Allow dynamic-group MYSQL_DG to use generative-ai-text-embedding in compartment C8The usage of OCI Generative AI will be metered and billed on the selected compartment.