Oracle Cloud Infrastructure Documentation

Required IAM Policy To View Listings

To view listings, launch images, stacks, containers or helm charts using Marketplace, you must have the necessary IAM policies.

To use Oracle Cloud Infrastructure, an administrator must be a member of a group granted security access in a policy  by a tenancy administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with the tenancy administrator what type of access you have and which compartment  your access works in.

If you're new to policies, see Getting Started with Policies and Common Policies.

For administrators, the policies you need to create to provide users with access to Marketplace depend on whether the tenancy is in a commercial region, the United Kingdom Government Cloud region, or the United States Government Cloud realm.

Note

In commercial regions and the United Kingdom Government Cloud region, administrators do not need to write policies to grant users the ability to list or read listings. In these regions, you can see individual listings and lists of listings by default. Furthermore, to reduce the scope of access to a particular compartment, specify the specific compartment instead of the tenancy in the policy statement.

For a Tenancy in a Commercial Region or the United Kingdom Government Cloud

  • The following policy gives the specified example group, MarketplaceUsers, the ability to list accepted terms of use agreements. However, it does not include the ability to accept a terms of use agreement. The terms of use agreement for a given listing must be viewed and accepted prior to launch. For a policy that includes the ability to use listings, see the policy statements later in this section that grant access to the type of listing you want to launch, whether an image, stack, container image, or a helm chart.

    Allow group MarketplaceUsers to inspect compartments in tenancy

Allow group MarketplaceUsers to read app-catalog-listing in tenancy

  • The following policy gives the specified example group, MarketplaceUsers, the ability to not only list and read, but also use Marketplace listings. It does not include the ability to create instances using images from listings. (For that, see the next set of policy statements.)

    Allow group MarketplaceUsers to inspect compartments in tenancy
Allow group MarketplaceUsers to manage app-catalog-listing in tenancy

  • The following policy gives the specified example group, MarketplaceUsers, general access to managing instances and images, along with the required level of access to attach existing block volumes to the instances. Use this policy in conjunction with the preceding policy for users who need to launch instances from image listings. For users who need to launch stacks, container images, and helm charts, use this policy in conjunction with the next set of policy statements.

    Allow group MarketplaceUsers to manage instance-family in compartment ABC

Allow group MarketplaceUsers to read app-catalog-listing in tenancy

Allow group MarketplaceUsers to use volume-family in compartment ABC

Allow group MarketplaceUsers to use virtual-network-family in compartment XYZ
  • The policies described in IAM Policies grant access to stacks and jobs in the tenancy. Use the appropriate policy statements to give a group the ability to list, read, and use Marketplace stack listings. (Users do not need permission to run destroy jobs to launch a stack from a Marketplace listing, but they do need permissions to run plan jobs and apply jobs.)
  • The following policy gives the specified example group, MarketplaceUsers, the ability to manage container images or repositories in the specified example compartment in any possible way.
    Allow group MarketplaceUser to manage repos in
compartment ABC

If you need to write more restrictive policies, see the policy references on which these policies were based, Details for the Core Services and Details for the Resource Manager, as needed.

For a Tenancy in the US Government Cloud Realm

Note

The following policies assume you already have existing policies for the specified groups to address the ability to inspect anything in the tenancy, including all compartments.

  • The following policy gives the specified example group, MarketplaceUsers, the ability to view all listings in the specified example compartment:

    Allow group MarketplaceUsers to read marketplace-listings in compartment ABC

  • The following policy gives the specified example group, MarketplaceUsers, the ability to work with all listings in the specified example compartment in any way possible. The statements include the ability to accept terms of use agreements, view listings, and create images, stacks, containers, and helm charts:

    Allow group MarketplaceUsers to manage app-catalog-listings in compartment ABC
Allow group MarketplaceUsers to use marketplace-listings in compartment ABC
Allow group MarketplaceUsers to manage instance-family in compartment ABC
Allow group MarketplaceUsers to use volume-family in compartment ABC
Allow group MarketplaceUsers to manage virtual-network-family in compartment ABC
Allow group MarketplaceUsers to manage orm-stack in compartment ABC
Allow group MarketplaceUsers to manage orm-job in compartment ABC

  • The following policy gives the specified example group, MarketplaceUsers, the ability to work with specific listings in the specified example compartment in any way possible. The statements include the ability to list and subscribe to images and the ability to create images, stacks, containers, and helm charts:

    Allow group MarketplaceUsers to manage app-catalog-listings in compartment ABC
Allow group MarketplaceUsers to use marketplace-listings in compartment ABC where any {listing.id='123456', listing.id='987654'}
Allow group MarketplaceUsers to manage instance-family in compartment ABC
Allow group MarketplaceUsers to use volume-family in compartment ABC
Allow group MarketplaceUsers to manage virtual-network-family in compartment ABC
Allow group MarketplaceUsers to manage orm-stack in compartment ABC
Allow group MarketplaceUsers to manage orm-job in compartment ABC

  • The following policy gives the specified example group, AgreementAcceptors, the ability to accept the terms of use agreement for any listing in the specified example compartment. The statements make it possible for anyone with the appropriate permissions to launch an images, listings, stacks, containers, and helm charts without having the permission to accept the terms of use agreement themselves:

    Allow group AgreementAcceptors to read marketplace-listings in compartment ABC
Allow group AgreementAcceptors to manage app-catalog-listings in compartment ABC

If you need to write more restrictive policies, see the policy reference on which policies for tenancies in the US Government Cloud realm were based, Details for the Marketplace Service.