This blog will share some quick tips, including Q/A and useful links from Day 1 of our previously launched new batch of Oracle Cloud Infrastructure Architect Associate. We have covered 15+ hands-on labs in the course.
On our Day 1 Live Session, we have covered Identity Access Management(OCI) basics in OCI.
So, here are some of the Q/A’s asked during the Live session from Module 2: Identity and Access Management(IAM).
Oracle Cloud Infrastructure (OCI) Architect
An Oracle Cloud Infrastructure(OCI) Architect is responsible for implementing, monitoring and maintaining Oracle Cloud solutions, including major services related to Compute, Storage, Networking, Database and Security.
Cloud Services Model
Cloud computing offers different services based on three delivery models. They follow the order of SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a service).
There are three main types of cloud computing services, sometimes called the cloud computing stack, because they build on top of one another.
Also Read: Our blog post on Oracle Cloud Support.
Identity Access Management (IAM)
IAM is used for Authentication & Authorization purposes for various resources used in the OCI environment. It provides access to appropriate users for handling various resources in OCI or restricting unauthorized access to resources.
IAM lets you control who has access to what cloud resource in OCI. IAM Components includes:
- Principals
- Users
- Groups & Dynamic Groups
- Policies
- Compartments
Principal, Users & Groups
Principals are basically of three types:
- Root Users: The first user that gets a cloud account when you sign up for Cloud is a root user.
- IAM Users: Users created after the root user are called IAM users.
- Instance Principals: Instance Principals lets instances (and applications) make API calls against other OCI services
Users & Groups: The user is an individual or an employee who needs to manage different resources in OCI, and every user belongs to single or multiple groups.
Note: Policies are assigned to groups, not to users.
Also Read: Our blog post on OCI Shielded Instances.
Authentication
Authentication (ATN): The process of Identifying yourself, who you are is called Authentication.
There are three ways through which IAM Service authenticates a Principal:
- Username/password: Signing in to the web console
- API Signing Key: Public/Private key pair
- Auth Token: Oracle generated token strings
Authorization
Authorization (ATZ): The process of Identifying what actions an authenticated principal can perform is known as Authorization.
Policies are defined with required privileges, and these policies are then associated with the group.
Least privilege principal is applied, that means by default a new user will not have any access unless attached to a group that has the policy to access resource.
Q1. What is Auth Token? Is it available permanently or for a period of time?
Ans. Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs that do not support Oracle Cloud Infrastructure’s signature-based authentication. Each user created in the IAM service automatically has the ability to create, update, and delete their own auth tokens in the Console or the API.
Auth tokens do not expire. Each user can have up to two auth tokens at a time.
Compartment
The compartment is a logical container in which OCI resources reside. A resource in OCI will definitely belong to a Compartment. It is used to provide appropriate access to various resources in OCI. We can have sub-compartments in a compartment.
When creating resources (compute, storage..etc.), you can decide which compartment to place.
Compartments are global, meaning they span tenancy-wide across Regions. Each resource belongs to a single compartment, but resources can be shared across compartments.
Q2. Can the resources of one Compartment be accessed by a resource/compute in another Compartment?
Ans. Yes, the resource of one compartment can be accessed by a resource in another compartment if proper policies are applied to the compartment.
Policy
Policies are the statements that specify which user or group can access what resources in OCI. It also provides access to various services to use different services in OCI.
Policies comprise one or more statements that specify which groups can access what resources and at what level of access. Policies are written in human-readable format, for example:
- Allow the group to in tenancy
- Allow the group to in compartment where
A policy can be attached to a Compartment or Tenancy.
Q3. How do we create an IAM policy?
Ans. To create the policies:
- In the Oracle Cloud Console, open the navigation menu. Under Governance and Administration, point to Identity, and then click Policies.
- On the Identity > Policies in x Compartment page, under List Scope > Compartment, select the compartment where you want the policies to reside.
- Click the Create Policy button.
- In the Create Policy dialogue box, enter the following information:
- Name: Enter a name for the policy,
- Description: Enter a description of the policy.
- Compartment: Select a compartment from the list if you want to create the policy in a different compartment.
- Policy Builder: Add the policy here
- Policy Versioning: Select the Keep Policy Current option.
- Click the Create button.
- To review any policy, click its name on the Policies in x Compartment page.
Q4. Define Tags. How many types of tags are there?
Ans. Tags in OCI is used to provide metadata to the resources so that it is easy to manage them. It can also use for billing purposes (cost tracking tags). There are 2 types of tags Free Form Tags, Defined Tags.
Federation & Dynamic Groups
Federation: This is the relationship built by the administrator between the identity provider and service provider. In this, we are delegating the authentication of the OCI console to another identity provider like IDCS, Microsoft AD or third-party single sign-on service like OKTA.
Dynamic groups allow you to group Oracle Cloud Infrastructure compute instances as “principal” actors (similar to user groups).
Quiz Time (Sample Exam Questions)!
Our [1Z0-1072] Oracle Cloud Infrastructure Architect Associate training program cover 150+ Sample Exam questions to help you prepare for the certification [1Z0-1072].
Ques: You are responsible for setting up access for all the cloud users of a large enterprise. You log in to the Phoenix region and start creating users and policies. You then realize that some users might be creating resources in the Ashburn region.
A) You can assign a region to each of the users at the time of creation.
B) IAM users are global, and non-admin users can add resources to any region by default.
C) You need to log in to each region separately to create users for that particular region.
D) IAM users are global. As an administrator, make sure that you subscribe to the Ashburn region.
The right answer will reveal in Day 2 recap blog.
Feedback
We always work on improving and being the best version of ourselves from the previous session hence constantly ask feedback from our attendees.
Here’s the feedback that we received from our trainees who had attended the session…
P.S. Here’s the response that we received from our trainees who had attended the session…
Here, 2108 in the below screenshots represents August 2021.
Related/References
- 1Z0-932 V/S 1Z0-1072: Oracle Cloud Infra Architect Associate Certification
- 1Z0-997 | Oracle Cloud Infrastructure 2020 Architect Professional
- FREE MasterClass On How To Become Oracle Certified Cloud Architect [1Z0-1072] in 8 Weeks
- Oracle Cloud Infrastructure (OCI) Architect (1z0-1072)Live Training
Begin Your Cloud Journey
Begin your journey towards becoming a Certified Oracle Cloud Infrastructure Architect and earning a lot more in 2022 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects in the market, and what to study Including Hands-On labs you must perform to clear the Oracle Cloud Architect Associate Certification (OCI) certification exam by registering for our FREE Masterclass.
Click on the below image to Register Our FREE Class on Master Oracle Cloud (OCI) and Get a Higher Paying Job!
Leave a Reply