steampipe plugin install oci

Table: oci_identity_policy - Query OCI Identity Policies using SQL

An OCI Identity Policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and the type of access. It is an essential part of Oracle Cloud Infrastructure's Identity and Access Management (IAM) service. It allows you to control who has access to your cloud resources.

Table Usage Guide

The oci_identity_policy table provides insights into Identity Policies within Oracle Cloud Infrastructure's Identity and Access Management (IAM). As a Security Analyst, you can explore policy-specific details through this table, including policy statements, and associated metadata. Utilize it to uncover information about policies, such as those with specific permissions and the verification of policy statements.

Examples

Basic info

Explore the lifecycle states and descriptions of various policies within your Oracle Cloud Infrastructure (OCI) to gain insights into their current status and purpose. This can help in managing and understanding your OCI resources effectively.

select
name,
id,
lifecycle_state,
description
from
oci_identity_policy;
select
name,
id,
lifecycle_state,
description
from
oci_identity_policy;

Get a specific policy

This query allows you to pinpoint the specific details of a chosen policy within your Oracle Cloud Infrastructure (OCI) environment. It's particularly useful when you need to review the configuration or lifecycle state of a policy, without having to sift through all the policies in your OCI setup.

select
name,
id,
lifecycle_state,
description
from
oci_identity_policy
where
id = 'ocid1.policy.oc1..aaaaaaaa6nsa2ia2bkr7bx7olpkjuj42yk3rpalwuwvm7fjc7kz7o5wz5pmq';
select
name,
id,
lifecycle_state,
description
from
oci_identity_policy
where
id = 'ocid1.policy.oc1..aaaaaaaa6nsa2ia2bkr7bx7olpkjuj42yk3rpalwuwvm7fjc7kz7o5wz5pmq';

List inactive policies

Discover the segments that consist of inactive policies to better manage your resources and maintain an organized, efficient system. This helps in identifying policies that are no longer in use, allowing for effective cleanup and resource optimization.

select
name,
lifecycle_state
from
oci_identity_policy
where
lifecycle_state <> 'ACTIVE';
select
name,
lifecycle_state
from
oci_identity_policy
where
lifecycle_state <> 'ACTIVE';

List of policy statements

Explore the various policy statements within your Oracle Cloud Infrastructure to better manage and understand your security configuration. This can be particularly useful in identifying potential security loopholes or areas for policy optimization.

select
name,
jsonb_array_elements_text(statements) as statement
from
oci_identity_policy
select
name,
json_each.value as statement
from
oci_identity_policy,
json_each(statements)

Schema for oci_identity_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
compartment_idtext=The OCID of the compartment in Tenant in which the resource is located.
defined_tagsjsonbDefined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources.
descriptiontextThe description you assign to the policy. Does not have to be unique, and it's changeable.
freeform_tagsjsonbFree-form tags for resource. This tags can be applied by any user with permissions on the resource.
idtext=The OCID of the policy.
inactive_statusbigintThe detailed status of INACTIVE lifecycleState.
lifecycle_statetext=The policy's current state.
nametext=The name you assign to the policy during creation. The name must be unique across all policies in the tenancy and cannot be changed.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statementsjsonbAn array of one or more policy statements written in the policy language.
tagsjsonbA map of tags for the resource.
tenant_idtext=, !=, ~~, ~~*, !~~, !~~*The OCID of the Tenant in which the resource is located.
tenant_nametextThe name of the Tenant in which the resource is located.
time_createdtimestamp with time zoneDate and time the policy was created.
titletextTitle of the resource.
version_datetimestamp with time zoneThe version of the policy. If null or set to an empty string, when a request comes in for authorization, the policy will be evaluated according to the current behavior of the services at that moment. If set to a particular date (YYYY-MM-DD), the policy will be evaluated according to the behavior of the services on that date.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- oci

You can pass the configuration to the command with the --config argument:

steampipe_export_oci --config '<your_config>' oci_identity_policy