Select Page

Using OSB Cloud Module with EC2 IAM

Author: Dave Liddell | | November 25, 2011

Oracle’s OSB Cloud Module allows you to backup to S3.  By default OSB Cloud Module will create buckets using generated names from your EC2 login. For example if your login is [email protected], your default buckets would be: oracle-data-myaccount-1 and oracle-log-myaccount-1.  If you already have buckets setup that you want to use and need to lock down permissions using EC2’s IAM feature, then you’ll need to do some extra work to change the bucket OSB uses and allow access. It’s clear that OSB Cloud Module wasn’t created with IAM in mind, possibly due to release dates, but there are several security and administrative reasons you may want to use it in conjunction with IAM.  Much of this configuration is undocumented but can be tracked down with a little work. This article assumes that you already have OSB Cloud Module and RMAN setup and that you are using credentials you created using IAM.  If you need to setup OSB Cloud Module some documentation on doing so is available here: If you need to setup OSB Cloud Module on 10g, some information on doing so is available here. In order to change the bucket and lock down permissions you’ll need to use some undocumented settings.  You can find these settings by running strings on the OSB shared object:


We’ll specify our custom bucket name by setting OSB_WS_BUCKET in your osbws*.ora: OSB_WS_BUCKET=mybucket When naming your bucket, you must adhere to the S3 bucket naming policies as the OSB Cloud Module will fail on upper case letters, etc.  The S3 bucket naming polices are:

Naming Buckets and Keys

Though buckets can be named with any alpha-numeric character, following some simple naming rules will ensure that you can reference your bucket using the convention

  1. Use 3 to 63 characters.
  2. Use only lower case letters (at least one), numbers, ‘.’ and ‘-‘.
  3. Don’t start or end the bucket name with ‘.’ and don’t follow or precede a ‘.’ with a ‘-‘.

Keys can be named with any properly encoded UTF-8 character. Literal ‘+’ characters should always be URL encoded. ( You can determine what permissions are needed by watching tcpdump and filtering requests to S3 while running the installation and backup commands.  Luckily we’ve done that work for you so here’s what you need to get things setup: Initially, you’ll need some extra permissions to run the installer. After osbws_install.jar is run, you can then remove the permissions for CreateBucket (the first statement) and the statement to access the default buckets (oracle-[data|log]–1). Change “mybucket” and “myaccount” to appropriate identifiers for your setup:

{ “Statement”: [ { “Sid”: “Stmt1319046639298”, “Action”: [ “s3:CreateBucket” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Sid”: “Stmt1319047275324”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Action”: [ “s3:ListAllMyBuckets” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::*” }, { “Action”: “s3:*”, “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”, “arn:aws:s3:::oracle-log-myaccount-1”, “arn:aws:s3:::oracle-log-myaccount-1/*”, “arn:aws:s3:::oracle-data-myaccount-1”, “arn:aws:s3:::oracle-data-myaccount-1/*”, “arn:aws:s3:::oracle-sbt-license/*”, “arn:aws:s3:::oracle-sbt-license”] } ] }

One unexpected permission is the “oracle-sbt-license” bucket. This is not a bucket created by OSB under your account, but instead, a public bucket belonging to Oracle. Curiously, even though it’s a public bucket, the IAM user needs explicit permissions specified for it or access will fail.

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS Oracle error message is very common for database administrators. Learn how to diagnose & resolve this common issue here today.

Vijay Muthu | February 4, 2021

Data Types: The Importance of Choosing the Correct Data Type

Most DBAs have struggled with the pros and cons of choosing one data type over another. This blog post discusses different situations.

Craig Mullins | October 11, 2017

How to Recover a Table from an Oracle 12c RMAN Backup

Our database experts explain how to recover and restore a table from an Oracle 12c RMAN Backup with this step-by-step blog. Read more.

Megan Elphingstone | February 2, 2017

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.


Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.