Automated AI Resource Provisioning with OCI Identity Policies

Question

Pulumi · Accepted Answer

To provision AI resources within Oracle Cloud Infrastructure (OCI) and manage access using Identity Policies, you would typically need to define a policy that grants necessary permissions to the AI resources such as OCI Data Science and AI services. In this context, an OCI Identity Policy is a document that specifies who can access which resources in OCI and what actions they can perform on those resources.

In the following Pulumi program, we will create an Identity Policy in OCI that could be used to grant access to AI services. This Identity Policy could, for example, grant users of an OCI Group the ability to manage AI models, data science projects, and related resources.

This program will include these main steps:

Define the necessary permissions in a policy statement.
Create an Identity Policy with the policy statement.
Attach the policy to a compartment and a group of users.

Before running the program, make sure that you have the appropriate permissions and that you have set up the OCI provider with Pulumi, by configuring your OCI credentials.

Here is the Pulumi program written in Python:

import pulumi
import pulumi_oci as oci

# Replace the following variables with appropriate values for your environment
compartment_id = 'ocid1.compartment.oc1..exampleuniqueID'
group_id = 'ocid1.group.oc1..exampleuniqueID'  # Group to which this policy will apply

# Define the policy statements
# These are examples and should be changed to match your AI services and access requirements
# Refer to the OCI documentation for specific service action keywords
policy_statements = [
    "Allow group {group_name} to manage ai-family in compartment {compartment_name}",
    "Allow group {group_name} to inspect data-science-family in compartment {compartment_name}"
]

# Substitute your compartment and group names in the policy
formatted_statements = [s.format(group_name=group_id, compartment_name=compartment_id) for s in policy_statements]

# Create the Identity Policy
identity_policy = oci.IdentityPolicy("ai-resource-policy",
    compartment_id=compartment_id,
    name="AIPolicy",  # The name of the policy
    description="Policy that grants access to AI services",
    statements=formatted_statements
)

# Output the policy's OCID for reference
pulumi.export('policy_ocid', identity_policy.id)

In this program, replace the compartment_id and group_id with the OCID (Oracle Cloud Identifier) of your own OCI compartment and user group. These values can be found in the OCI console or obtained via the OCI CLI or APIs.

The policy_statements list is where you define the access rules. These rules use the form Allow group <group-name> to <verb> <resource-type> in compartment <compartment-name>. Replace the verbs and resource types with those relevant to your AI services in OCI, based on the specific operations you want to allow your group to perform.

After running this Pulumi program, a new Identity Policy will be created that attaches the specific permissions to your resources for AI within the OCI compartment. You can then use these permissions to manage and interact with AI services securely in Oracle Cloud Infrastructure.

in compartment `. Replace the verbs and resource types with those relevant to your AI services in OCI, based on the specific operations you want to allow your group to perform. After running this Pulumi program, a new Identity Policy will be created that attaches the specific permissions to your resources for AI within the OCI compartment. You can then use these permissions to manage and interact with AI services securely in Oracle Cloud Infrastructure.