This section highlights the steps to create an account under your OCI cloud tenancy, which you can use later to configure the cluster details under your installed SWIFT. The same credentials can also be used later to discover an Oracle Cloud Infrastructure Container Registry (OCIR) instance or add an OCI cloud object storage under your SWIFT. 


1. Login to OCI console Select the ‘Identity & Security’ submenu from the top left menu and then select ‘Groups’ option. We will create a Group, a Policy, and then finally a User.   


Graphical user interface, application Description automatically generated, Picture
 


2. Press the ‘Create Group’ option.  


Picture 202, Picture
 


3. In the new ‘Create Group’ wizard, set appropriate name and description. In this example case, we will name it 'RackWare-SWIFT.’


Graphical user interface, text, application Description automatically generated, Picture
 


4. Once the group is created, we are ready for the next step of creating a Policy.  


Picture 223, Picture
 


5. From the Identity menu, select ‘Policies’ submenu. Select compartment where OKE clusters or OCIR registries are located. Then press the ‘Create Policy’ button.  


Picture 224, Picture


6. For the new ‘Create Policy’ wizard, give policy a name and description. Then enable ‘Show manual editor’ slider. It will show you a textbox to edit policy rules that you can use to enter rules shown below.  


Graphical user interface, text, application, email Description automatically generated, Picture
 


 



7. In the policy editor textbox for rules, you will enter below rules. Note that some rules are optional depending on use-cases needed with the SWIFT. Replace ‘{group name}’ and ‘{compartment name}’ in below rules with user group created earlier and compartment name where OKE clusters are located respectively.



Instance access control rules - Mandatory  


Allow group {group name} to manage instance-family in compartment {compartment name}  

Allow group {group name} to read app-catalog-listing in compartment {compartment name 

Allow group {group name} to use volume-family in compartment {compartment name} 

Allow group {group name} to use virtual-network-family in compartment {compartment name}



Storage access control for snapshots rules - Mandatory  


Allow group {group name} to manage instance-family in compartment {compartment name}  

Allow group {group name} to read app-catalog-listing in compartment {compartment name} 

Allow group {group name} to use volume-family in compartment {compartment name} 

Allow group {group name} to use virtual-network-family in compartment {compartment name}



Storage access control for snapshots rules - Mandatory  


Allow group {group name} to manage volume-family in compartment {compartment name}  

Allow group {group name} to use instance-family in compartment {compartment name}



Sync to/from OKE cluster rules – Mandatory  


Allow group {group name} to read all-artifacts in compartment {compartment name} 

Allow group {group name} to manage cluster in compartment {compartment name} 

Allow group {group name} to manage instance-family in compartment {compartment name} 

Allow group {group name} to manage volume-family in compartment {compartment name} 

Allow group {group name} to use virtual-network-family in compartment {compartment name}      

Allow group {group name} to manage objects in compartment {compartment name} 

Allow group {group name} to inspect instance-family in compartment {compartment name}



Backup to Object storage control rules – Only needed if you are planning to backup to OCI Object Storage with SWIFT  


Allow group {group name} to manage volume-family in compartment {compartment name} 

Allow group {group name} to manage buckets in compartment {compartment name}  

Allow group {group name} to manage objects in compartment {compartment name}      

Allow group {group name} to manage virtual-network-family in compartment {compartment name}



OKE Dynamic cluster provisioning support rules – Only needed if you are planning to dynamically provision DR OKE clusters with SWIFT  


Allow group {group name} to manage compartments in tenancy  

Allow group {group name} to manage vcns in compartment {compartment name}      

Allow group {group name} to manage subnets in compartment {compartment name} 

Allow group {group name} to use vnics in compartment {compartment name} 

Allow group {group name} to use private-ips in compartment {compartment name} 

Allow group {group name} to manage public-ips in compartment {compartment name} 

Allow group {group name} to use cluster-node-pools in compartment {compartment name} 

Allow group {group name} to inspect instance-family in tenancy  

Allow group {group name} to manage cluster-family in compartment {compartment name}



Oracle Container Registry (OCIR) sync rules – Only needed if you are planning to sync to/from Oracle OCI Container Registries (OCIR) with SWIFT  


Allow group {group name} to manage volume-family in compartment {compartment name} 

Allow group {group name} to manage buckets in compartment {compartment name}  

Allow group {group name} to manage objects in compartment {compartment name} 

Allow group {group name} to manage virtual-network-family in compartment {compartment name}



8. Once you enter required rules above, create the policy. 


Picture 231, Picture
 


9. Let’s now create a User and add it to the Group created earlier, where we also applied access policy now..   


From the Identity menu, select the Users submenu.  


Picture 232, Picture
 



10. Select the ‘Create User’ option. Then on new user creation wizard, set name and description for the User. We will use ‘RackWare-SWIFT’ as a name in the example case.  


Picture 233, Picture
 



11. Once the user is created, select ‘Add User to Group’ option from the Groups tab.  


Picture 235, Picture
 


12. Add it to the ‘RackWare-SWIFT’ group created earlier in the flow, where new policy is also applied. Adding user to this group would restrict this user’s access to OCI with the earlier applied restrictive policy.  


Picture 236, Picture
 


13. Once the user is added to the group, you will see the new group listed in the Groups tab.  


Picture 237, Picture
 



14. Now, let’s generate an API key for the user that later you will use with SWIFT for OKE cluster discovery, OCIR syncs, OCI object storage addition to SWIFT, or OKE dynamic provisioning configuration in SWIFT.   


Click on the ‘API Keys’ tab under user configuration page.  


Picture 238, Picture
 


15. Select 'add API Key’ button. On the new key wizard, you can either upload keypair or let OCI generate one for you. Make sure to download both keys if you let OCI generate keypair for you, as you can't letter download these keys later.  


Picture 243, Picture
 



16. Note the generate key's fingerprint too, as you will later need it for various OKE/OCIR specific configurations in SWIFT, including OKE/OCIR cluster discovery.  


Picture 244, Picture
 




17. That’s it! You can now use the generated API key and fingerprint along with other details like compartment id and user id with SWIFT to discover an OKE cluster or sync OCIR registries under the OCI account. The new API key will have same access that access policy we created and applied above for the new allow users.