Oracle Cloud Infrastructure Documentation

Access Control Using IP Address

OCI provides an option to add an additional layer of security to your cloud resources by limiting access using network based access controls. You can specify a limited set of IP addresses or Classless Inter-Domain Routing (CIDR) blocks that have permission to interact with your resources.

A network source is a set of defined IP addresses. They can be public IP address of Virtual Cloud Networks (VCNs) within your tenancy. When a network source is provided in an IAM policy, the IAM validates the requests to access a resource originating from an allowed IP address. Follow the given steps to create IAM policies that limit access to Devops code repositories based on specified IP addresses:

  1. In the Oracle Cloud Console, open the navigation menu and click Identity & Security. Under Network Sources, click Create Network Source.
  2. Enter a name and description.
  3. In the Networks section, select the type of network you're using and the respective IP addresses.
    • To provide access to public IP addresses or CIDR block ranges, select Public Network and provide the respective details.
    • To provide access to private IP addresses in your VCN, select Virtual Cloud Network, and select the VCN you want to allow. Enter the private IP address from the VCN or a subnet CIDR block. To allow all subnets from the specified VCN, enter 0.0.0.0/0.
  4. To add more IP ranges to this network source, click Add Network.
  5. Click Create.

After creating the network with the required IP addresses, you can create IAM policies to allow only the listed IP addresses to access DevOps code repositories. To scope your policy using a condition, you can use an IAM service variable. For example, request.networkSource.name.

Following is a sample policy to allow only specified IP addresses to access the DevOps code repositories using devops-repository as the resource type. Use the network source name that was created in the preceding steps: 
Allow group <group-name> to manage devops-repository in compartment <compartment_name> where request.networkSource.name='<network-source-name>'

You can modify the verbs used in the policy. For example, changing "manage" to "inspect" allows only listing of resources. For more information see, DevOps IAM policies.

When accessing repositories, or performing Git operations on a repository from an IP address that isn't allowed, you might encounter an error.