How to Implement Resource Principals for Oracle Functions and Object Storage

AC.

To implement this use case, two statements are needed:

A. Set up a policy with the following statement to grant read access to the bucket: allow dynamic-group read-file-dg to read objects in compartment qa-compartment where target.bucket.name= "input-bucket"

This statement allows the dynamic group named "read-file-dg" to read objects in the "input-bucket" bucket located in the "qa-compartment" compartment. A dynamic group is a set of policies that are evaluated based on the defined rules. In this case, the rule is not explicitly defined, but it is assumed that the dynamic group includes the function's Resource Principal.

B. Set up the following dynamic group for your function's OCID: Name: read-file-dg Rule: resource.id = "ocid1.fnfunc.oc1.phx.aaaaaaaakeaobctakezjz5i4ujj7g25q7sx5mvr55pms6f4da"

This statement sets up a dynamic group named "read-file-dg" for the function's OCID. The dynamic group's rule specifies that the resource ID must match the OCID of the function. By setting up this dynamic group, the function's Resource Principal is granted access to the "input-bucket" bucket.

Therefore, options A and B are the correct answers.

Option C is incorrect because it grants read access to all functions in the compartment, which is not necessary and violates the principle of least privilege.

Option D is incorrect because it grants read access to a specific user account, which is also not necessary and violates the principle of least privilege.

Option E is incorrect because it is not true that every function has read access to Object Storage buckets by default. Access to resources is granted through policies and authorization mechanisms.