iam-identity-management_skill

This skill helps you design OCI IAM policies, troubleshoot access issues, and configure dynamic groups with landing zone guidance for secure, scalable access.
  • Shell

4

GitHub Stars

2

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill acedergren/oci-agent-skills --skill iam-identity-management

  • metadata.json570 B
  • SKILL.md10.7 KB

Overview

This skill helps you write and troubleshoot Oracle Cloud Infrastructure (OCI) IAM policies, configure dynamic groups, and integrate with IDCS. It focuses on OCI-specific policy syntax, compartment placement, principal types, and common authorization failures. Use it to apply least-privilege patterns and avoid common IAM anti-patterns.

How this skill works

It inspects policy verb/resource combinations, compartment hierarchy, and dynamic group matching rules to identify likely causes of permission errors. It walks through common OCI errors (404 NotAuthorizedOrNotFound, 403 NotAuthorized), explains verb hierarchies, and provides concrete condition and resource-family gotchas. It also provides practical steps to test instance principals and dynamic groups using OCI CLI calls.

When to use it

  • Writing new IAM policies or converting policies to least privilege
  • Troubleshooting 403/404 permission errors and evaluating policy placement
  • Designing dynamic groups and testing instance principal access
  • Setting up or debugging IDCS federation and group mappings
  • Reviewing compartment structure and moving from flat to hierarchical layout

Best practices

  • Always place policy at or above the target compartment; policies in child compartments cannot access parent resources
  • Use least privilege: prefer resource-family and specific verbs (inspect/read/use/manage) over all-resources or any-user
  • Use dynamic-group rules based on compartment or tags, never hardcode instance OCIDs
  • Test dynamic group membership from the instance using OCI CLI before relying on policies in production
  • Avoid circular policy dependencies by defining clear administrative groups and creation order

Example use cases

  • Create a policy that allows app instances in a compartment to read specific buckets using a dynamic group with tag matching
  • Resolve a 404 NotAuthorizedOrNotFound by checking resource existence, policy location, and inspect/read permissions
  • Migrate a flat compartment layout to an environment-based landing zone and update policies to match the new hierarchy
  • Debug IDCS federation when a federated user can log in but cannot see resources due to missing OCI group policy

FAQ

404 can mean the resource doesn’t exist or the requester lacks permission to see it. 403 means the principal is identified but lacks the required verb/resource permission.

How do I test if an instance is in a dynamic group?

Get the instance details (compartment, tags) with oci compute instance get, compare to the dynamic group matching rule, and run a sample API call from the instance (for example oci os ns get) to confirm access.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational