Select Page

Using OSB Cloud Module with EC2 IAM

Author: Dave Liddell | | November 25, 2011

Oracle’s OSB Cloud Module allows you to backup to S3.  By default OSB Cloud Module will create buckets using generated names from your EC2 login. For example if your login is, your default buckets would be: oracle-data-myaccount-1 and oracle-log-myaccount-1.  If you already have buckets setup that you want to use and need to lock down permissions using EC2’s IAM feature, then you’ll need to do some extra work to change the bucket OSB uses and allow access. It’s clear that OSB Cloud Module wasn’t created with IAM in mind, possibly due to release dates, but there are several security and administrative reasons you may want to use it in conjunction with IAM.  Much of this configuration is undocumented but can be tracked down with a little work. This article assumes that you already have OSB Cloud Module and RMAN setup and that you are using credentials you created using IAM.  If you need to setup OSB Cloud Module some documentation on doing so is available here: If you need to setup OSB Cloud Module on 10g, some information on doing so is available here. In order to change the bucket and lock down permissions you’ll need to use some undocumented settings.  You can find these settings by running strings on the OSB shared object:


We’ll specify our custom bucket name by setting OSB_WS_BUCKET in your osbws*.ora: OSB_WS_BUCKET=mybucket When naming your bucket, you must adhere to the S3 bucket naming policies as the OSB Cloud Module will fail on upper case letters, etc.  The S3 bucket naming polices are:

Naming Buckets and Keys

Though buckets can be named with any alpha-numeric character, following some simple naming rules will ensure that you can reference your bucket using the convention

  1. Use 3 to 63 characters.
  2. Use only lower case letters (at least one), numbers, ‘.’ and ‘-‘.
  3. Don’t start or end the bucket name with ‘.’ and don’t follow or precede a ‘.’ with a ‘-‘.

Keys can be named with any properly encoded UTF-8 character. Literal ‘+’ characters should always be URL encoded. ( You can determine what permissions are needed by watching tcpdump and filtering requests to S3 while running the installation and backup commands.  Luckily we’ve done that work for you so here’s what you need to get things setup: Initially, you’ll need some extra permissions to run the installer. After osbws_install.jar is run, you can then remove the permissions for CreateBucket (the first statement) and the statement to access the default buckets (oracle-[data|log]–1). Change “mybucket” and “myaccount” to appropriate identifiers for your setup:

{ “Statement”: [ { “Sid”: “Stmt1319046639298”, “Action”: [ “s3:CreateBucket” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Sid”: “Stmt1319047275324”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Action”: [ “s3:ListAllMyBuckets” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::*” }, { “Action”: “s3:*”, “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”, “arn:aws:s3:::oracle-log-myaccount-1”, “arn:aws:s3:::oracle-log-myaccount-1/*”, “arn:aws:s3:::oracle-data-myaccount-1”, “arn:aws:s3:::oracle-data-myaccount-1/*”, “arn:aws:s3:::oracle-sbt-license/*”, “arn:aws:s3:::oracle-sbt-license”] } ] }

One unexpected permission is the “oracle-sbt-license” bucket. This is not a bucket created by OSB under your account, but instead, a public bucket belonging to Oracle. Curiously, even though it’s a public bucket, the IAM user needs explicit permissions specified for it or access will fail.

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.

Vijay Muthu | February 4, 2021

Scripting Out SQL Server Logins, Server Role Assignments, and Server Permissions

This blog reviews how you can generate scripts for SQL server logins, role assignments, and server permissions for a smooth migration.

JP Chen | October 1, 2015

MongoDB Best Practices: Design, Deployment & More

This post provides a rundown of best practices to use when running MongoDB.

Esayas Aloto | February 28, 2017

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.


Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.