Select Page

Using OSB Cloud Module with EC2 IAM

Dave Liddell | | November 25, 2011

Oracle’s OSB Cloud Module allows you to backup to S3.  By default OSB Cloud Module will create buckets using generated names from your EC2 login. For example if your login is, your default buckets would be: oracle-data-myaccount-1 and oracle-log-myaccount-1.  If you already have buckets setup that you want to use and need to lock down permissions using EC2’s IAM feature, then you’ll need to do some extra work to change the bucket OSB uses and allow access. It’s clear that OSB Cloud Module wasn’t created with IAM in mind, possibly due to release dates, but there are several security and administrative reasons you may want to use it in conjunction with IAM.  Much of this configuration is undocumented but can be tracked down with a little work. This article assumes that you already have OSB Cloud Module and RMAN setup and that you are using credentials you created using IAM.  If you need to setup OSB Cloud Module some documentation on doing so is available here: If you need to setup OSB Cloud Module on 10g, some information on doing so is available here. In order to change the bucket and lock down permissions you’ll need to use some undocumented settings.  You can find these settings by running strings on the OSB shared object:


We’ll specify our custom bucket name by setting OSB_WS_BUCKET in your osbws*.ora: OSB_WS_BUCKET=mybucket When naming your bucket, you must adhere to the S3 bucket naming policies as the OSB Cloud Module will fail on upper case letters, etc.  The S3 bucket naming polices are:

Naming Buckets and Keys

Though buckets can be named with any alpha-numeric character, following some simple naming rules will ensure that you can reference your bucket using the convention

  1. Use 3 to 63 characters.
  2. Use only lower case letters (at least one), numbers, ‘.’ and ‘-‘.
  3. Don’t start or end the bucket name with ‘.’ and don’t follow or precede a ‘.’ with a ‘-‘.

Keys can be named with any properly encoded UTF-8 character. Literal ‘+’ characters should always be URL encoded. ( You can determine what permissions are needed by watching tcpdump and filtering requests to S3 while running the installation and backup commands.  Luckily we’ve done that work for you so here’s what you need to get things setup: Initially, you’ll need some extra permissions to run the installer. After osbws_install.jar is run, you can then remove the permissions for CreateBucket (the first statement) and the statement to access the default buckets (oracle-[data|log]–1). Change “mybucket” and “myaccount” to appropriate identifiers for your setup:

{ “Statement”: [ { “Sid”: “Stmt1319046639298”, “Action”: [ “s3:CreateBucket” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Sid”: “Stmt1319047275324”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Action”: [ “s3:ListAllMyBuckets” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::*” }, { “Action”: “s3:*”, “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”, “arn:aws:s3:::oracle-log-myaccount-1”, “arn:aws:s3:::oracle-log-myaccount-1/*”, “arn:aws:s3:::oracle-data-myaccount-1”, “arn:aws:s3:::oracle-data-myaccount-1/*”, “arn:aws:s3:::oracle-sbt-license/*”, “arn:aws:s3:::oracle-sbt-license”] } ] }

One unexpected permission is the “oracle-sbt-license” bucket. This is not a bucket created by OSB under your account, but instead, a public bucket belonging to Oracle. Curiously, even though it’s a public bucket, the IAM user needs explicit permissions specified for it or access will fail.

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

ORA-12154: TNS:could not resolve the connect identifier specified

Most people will encounter this error when their application tries to connect to an Oracle database service, but it can also be raised by one database instance trying to connect to another database service via a database link.

Jeremiah Wilton | March 4, 2009

12c Upgrade Bug with SQL Tuning Advisor

Learn the steps to take on your Oracle upgrade 11.2 to 12.1 if you’re having performance problems. Oracle offers a patch and work around to BUG 20540751.

Megan Elphingstone | March 22, 2017

Scripting Out the Logins, Server Role Assignments, and Server Permissions

Imagine over 100 logins on the source server, you need to migrate them to the destination server. Wouldn’t it be awesome if we could automate the process?

JP Chen | October 1, 2015

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.


Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.