Oracle Cloud Infrastructure Documentation

Adding Security Attributes to a Mount Target

Use Zero Trust Packet Routing with a mount target.

You can use Zero Trust Packet Routing (ZPR) along with or in place of network security groups to manage network access to OCI resources . To do this, define ZPR policies that govern how resources communicate with each other, and then add security attributes to those resources. For more information, see Zero Trust Packet Routing.
Caution

If an endpoint has a Zero Trust Packet Routing (ZPR) security attribute, traffic to the endpoint must satisfy ZPR policies and also all NSG and security list rules. For example, if you're already using NSGs and you add a security attribute to an endpoint, all traffic to the endpoint is blocked. From then onward, a ZPR policy must explicitly allow traffic to the endpoint.

Required IAM Policy

To use ZPR with File Storage mount targets, create an IAM policy that grants the File Storage service permission to inspect and use the security attribute namespace required by ZPR.

For example, you can use the following policy:

Allow service <fssoc#prod> to {SECURITY_ATTRIBUTE_NAMESPACE_INSPECT, SECURITY_ATTRIBUTE_NAMESPACE_READ, SECURITY_ATTRIBUTE_NAMESPACE_USE,
 ZPR_CONFIGURATION_READ, ZPR_TAG_NAMESPACE_USE} where target.security-attribute-namespace.name = 'applications'

The name of the File Storage service user depends on your realm . For realms with realm key numbers of 10 or less, the pattern for the File Storage service user is FssOc<n>Prod, where n is the realm key number. Realms with a realm key number greater than 10 have a service user of fssocprod. For more information about realms, see About Regions and Availability Domains.

    1. On the File Storage mount targets list page, select the File Storage mount target that you want to work with. If you need help finding the list page or the File Storage mount target, see Listing Mount Targets.
    2. On the details page, select Security tab and then select Add security attribute.
    3. In the Add security attribute panel, enter the following information:
      • Security attribute namespace: A security attribute namespace is a container for a set of security attributes in Zero Trust Packet Routing (ZPR).
      • Security attribute key: The name for a specific security attribute.
      • Security attribute value: The value for a specific security attribute.

      These values must match an existing ZPR policy. For more information about security attributes and security attribute namespaces, see Zero Trust Packet Routing.

    4. When finished, select Add security attributes.

  • Use the fs mount-target update command and required parameters to add security associations to a mount target:

    oci fs mount-target update --mount-target-id <mount_target_OCID> --security-attributes securityattributes

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateMountTarget operation to add security associations to a mount target.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.