Oracle Cloud Infrastructure 2022 Architect Professional — Question 28
You are developing a Serverless function for your company's IoT project. This function should access Oracle Cloud Infrastructure (OCI) Object Storage to store some files. You choose Oracle Functions to deploy this function on OCI. However, your security team doesn't allow you to carry any API Token or RSA Key to authenticate the function against the OCI API to access the Object Storage.
What should you do to get this function to access OCI Object Storage without carrying any static authentication files?
Answer options
- A. There is no way that you can access the OCI resources from a running function.
- B. Set up a Dynamic Group using the format below: All {resource, type = ‘fnfunc’, resource.compartment.id - ‘ocidl.compartment.ocl..aaaaaaaa23________smwa’) Create a policy using the format below to give access to OCI Object Storage: allow dynamic-group acme-func-dyn-grp to manage objects in compartment acme- storage-compartment where all (target.bucket.name-‘acme-functions-bucket’) Include a call to a 'resource principal provider' in your function code as below: signer - oci.auth.signers.get_resource_principals_signer{}
- C. Add these two policy statements for your compartment to give your function automatic access to all other OCI resources: Allow group to manage fn-app in compartmert Allow group to manage fn-function in compartment
- D. Add these two policy statements for your compartment and then include a call to a 'resource principal provider' in your function code: Allow group acme functions-developers to inspect repos in tenancy Allow group acme-functions-developers to manage repos in tenancy where all {target.repo.name-/acme-web-app*/ }
Correct answer: B
Explanation
Option B is correct because it outlines the process to create a Dynamic Group and the necessary policy to allow access to OCI Object Storage without static credentials. The other options either suggest impractical solutions or do not address the requirement for dynamic access without static authentication files.