From eff9d2e444746f2d9f8626f151f4101076c68ea2 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:12:27 +0530 Subject: [PATCH 01/23] PBM-1728-OCI-with-WIA --- mkdocs-base.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 0774a511..249947ab 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -237,6 +237,7 @@ nav: - Storage: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md + - details/oci-workload-identity-auth.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md From 9e9ab9c77aee3c42510c3994c967a658035fbc5e Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:40:40 +0530 Subject: [PATCH 02/23] Create oci-workload-identity-auth.md --- docs/details/oci-workload-identity-auth.md | 98 ++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 docs/details/oci-workload-identity-auth.md diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md new file mode 100644 index 00000000..b84eb3fc --- /dev/null +++ b/docs/details/oci-workload-identity-auth.md @@ -0,0 +1,98 @@ +# Oracle Cloud Storage using Workload Identity authentication + +Workload Identity Federation (WIF) lets workloads authenticate to OCI resources using federated identities rather than static credentials. This eliminates the need to create, rotate, and distribute API keys or service account key files. + +Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI Object Storage, in addition to the default `userPrincipal`: + +| Auth type | When to use| +|---|---| +| `instancePrincipal` | PBM is running on a virtual machine inside OCI | +| `okeWorkloadIdentity` | PBM is running inside an OKE enhanced cluster | + +## instancePrincipal + +Use this auth type when PBM is running directly on an OCI Compute instance. The instance itself acts as the principal — no credentials file is required. + +### Before you begin + +You need: + +- The [Oracle Cloud Identifier (OCID):octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the OCI Compute instance running PBM +- The name of the OCI bucket PBM will use for backups +- A home region, tenancy OCID, and compartment name with sufficient IAM privileges to create dynamic groups and policies + +### Prococedure + +Follow these steps to set up OCI using **instancePrincipal:** + +1. **Create a dynamic group for the instance** + + OCI IAM policies cannot target individual instances directly. You must first add the instance to a dynamic group, then write a policy against that group. + + ```sh + oci iam dynamic-group create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$INSTANCE_DYNAMIC_GROUP_NAME" \ + --description "PBM VM instance principal" \ + --matching-rule "ANY {instance.id = '$INSTANCE_OCID'}" + ``` + + Replace the following: + + | Variable | Description | + |---|---| + | `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | + | `TENANCY_OCID` | OCID of your OCI tenancy | + | `INSTANCE_DYNAMIC_GROUP_NAME` | A name for the dynamic group (e.g. `pbm-vm-group`) | + | `INSTANCE_OCID` | OCID of the Compute instance running PBM | + +2. **Create an IAM policy for the dynamic group** + + Grant the dynamic group permission to manage objects in the target bucket: + + ```sh + export INSTANCE_POLICY_STATEMENT="Allow dynamic-group $INSTANCE_DYNAMIC_GROUP_NAME \ + to manage objects in compartment $COMPARTMENT_NAME \ + where target.bucket.name = '$BUCKET_NAME'" + + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$INSTANCE_POLICY_NAME" \ + --description "Allow PBM VM instance principal to access $BUCKET_NAME" \ + --statements "[\"$INSTANCE_POLICY_STATEMENT\"]" + ``` + + Replace the following additional variables: + + | Variable | Description | + |---|---| + | `COMPARTMENT_NAME` | Name of the compartment containing the bucket | + | `BUCKET_NAME` | Name of the OCI Object Storage bucket | + | `INSTANCE_POLICY_NAME` | A name for the policy (e.g. `pbm-vm-policy`) | + +3. **Configure PBM to use instancePrincipal** + + In your PBM configuration, set the storage type to `oci` and the credentials type to `instancePrincipal`. No key file or passphrase is needed. + + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: instancePrincipal + ``` + +## okeWorkloadIdentity + +Use this auth type when PBM is running as a workload inside an OKE enhanced cluster. The Kubernetes service account token is exchanged for OCI credentials automatically by the OKE Workload Identity service. + +!!! note + Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. + +For setup instructions, see [Configure PBM on OKE with Workload Identity](oci-oke-workload-identity.md). \ No newline at end of file From 4e4abdd02394f6496ebcdfadf7a75c3800ef4e1d Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:44:48 +0530 Subject: [PATCH 03/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index b84eb3fc..1034254a 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -21,7 +21,7 @@ You need: - The name of the OCI bucket PBM will use for backups - A home region, tenancy OCID, and compartment name with sufficient IAM privileges to create dynamic groups and policies -### Prococedure +### Procedure Follow these steps to set up OCI using **instancePrincipal:** From 4a70cc7ff153c091cadc0eb28a56f6bb64b9809b Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:45:03 +0530 Subject: [PATCH 04/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 1034254a..6d2d3114 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -78,14 +78,14 @@ Follow these steps to set up OCI using **instancePrincipal:** ```yaml storage: - type: oci - oci: + type: oci + oci: region: namespace: bucket: prefix: credentials: - type: instancePrincipal + type: instancePrincipal ``` ## okeWorkloadIdentity From 2bf90e49778464a7aaece4fb1a3964ecb9e4ba13 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 11:18:39 +0000 Subject: [PATCH 05/23] Fix broken OKE workload identity docs link --- .cache/plugin/git-committers/page-authors.json | 1 + docs/details/oci-workload-identity-auth.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 .cache/plugin/git-committers/page-authors.json diff --git a/.cache/plugin/git-committers/page-authors.json b/.cache/plugin/git-committers/page-authors.json new file mode 100644 index 00000000..881780d0 --- /dev/null +++ b/.cache/plugin/git-committers/page-authors.json @@ -0,0 +1 @@ +{"cache_date": "2026-06-10", "page_authors": {"docs/index.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/404.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/CODE_OF_CONDUCT.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/about-docs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/copyright.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/get-help.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/installation.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/intro.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/pmm.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/system-requirements.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/trademark-policy.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/architecture.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/authentication.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/azure.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/cli.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/control-collections.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/deployments.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/endpoint-map.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/filesystem-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/gcs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/minio.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/oci-workload-identity-auth.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/oss.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/pbm-agent.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/s3-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/storage-configuration.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/versions.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/workload-identity-auth.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/backup-sharding.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/backup-types.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/comparison.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/incremental-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/known-limitations.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/logical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/multi-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/point-in-time-recovery.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/restore-new-env.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/restore-remapping.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/selective-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/snapshots.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/split-merge-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/backup-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/configure-authentication.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/docker.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/initial-setup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/repos.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/secure-credentials-systemd.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/source.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/start-pbm-agent.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/tarball.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/automate-s3-access.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/change-nodes.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/configure-remotely.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/logpath.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/overview.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/start-agent-with-config.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/uninstalling.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/upgrading.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/backup-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/config.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/configuration-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/glossary.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/logging-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pbm-agent-config-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pbm-commands.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pitr-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/restore-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/0.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.0.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.2.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.2.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.2.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.4.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.4.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.4.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.6.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.6.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.7.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.8.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.8.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.2.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.4.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.5.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.1.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.10.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.11.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.12.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.13.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.14.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.2.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.2.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.3.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.3.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.4.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.4.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.6.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.7.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.8.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.9.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.9.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/index.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/faq.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/pbm-pmm.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/pbm-report.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/restore-partial.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/status.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/troubleshooting.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-external.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-incremental.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-priority.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/cancel-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/compression.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/delete-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/describe-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/list-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/logs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/oplog-replay.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-tutorial.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-external-agent-restart.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-external.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-incremental.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-progress.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/schedule-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/start-backup.md": {"last_commit_date": "2026-06-10", "authors": []}}} \ No newline at end of file diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 6d2d3114..151969ff 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -95,4 +95,4 @@ Use this auth type when PBM is running as a workload inside an OKE enhanced clus !!! note Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. -For setup instructions, see [Configure PBM on OKE with Workload Identity](oci-oke-workload-identity.md). \ No newline at end of file +For setup instructions, see [Configure OKE Workload Identity for workloads:octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From 79774713bf02ffa7163965022f3dedc6b37c6d44 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:48:43 +0530 Subject: [PATCH 06/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 151969ff..a58ba2f9 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -17,7 +17,7 @@ Use this auth type when PBM is running directly on an OCI Compute instance. The You need: -- The [Oracle Cloud Identifier (OCID):octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the OCI Compute instance running PBM +- The [Oracle Cloud Identifier (OCID) :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the OCI Compute instance running PBM - The name of the OCI bucket PBM will use for backups - A home region, tenancy OCID, and compartment name with sufficient IAM privileges to create dynamic groups and policies From 5ee6f0832acb9d01a02db066bdb69fad7a2ea1f1 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:52:27 +0530 Subject: [PATCH 07/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- mkdocs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 249947ab..c8dad618 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -237,7 +237,7 @@ nav: - Storage: - Remote backup storage overview: details/storage-configuration.md - AWS S3 storage: details/s3-storage.md - - details/oci-workload-identity-auth.md + - OCI Object Storage (Workload Identity): details/oci-workload-identity-auth.md - details/minio.md - details/gcs.md - Workload Identity authentication: details/workload-identity-auth.md From ec4b29e3d6f81758eb461bb8d8d76a58d9b15ef3 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:52:40 +0530 Subject: [PATCH 08/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index a58ba2f9..ff14f2e3 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -4,7 +4,7 @@ Workload Identity Federation (WIF) lets workloads authenticate to OCI resources Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI Object Storage, in addition to the default `userPrincipal`: -| Auth type | When to use| +| Auth type | When to use | |---|---| | `instancePrincipal` | PBM is running on a virtual machine inside OCI | | `okeWorkloadIdentity` | PBM is running inside an OKE enhanced cluster | From ab65a50e4e56c58f548a874692eff2b9084682d7 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 16:52:50 +0530 Subject: [PATCH 09/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index ff14f2e3..23affa8e 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -95,4 +95,4 @@ Use this auth type when PBM is running as a workload inside an OKE enhanced clus !!! note Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. -For setup instructions, see [Configure OKE Workload Identity for workloads:octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file +For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From 024fb3421106ad6e17de38ba2be1c47e24ffe599 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 11:25:31 +0000 Subject: [PATCH 10/23] Remove generated git-committers cache file and ignore .cache --- .cache/plugin/git-committers/page-authors.json | 1 - .gitignore | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 .cache/plugin/git-committers/page-authors.json diff --git a/.cache/plugin/git-committers/page-authors.json b/.cache/plugin/git-committers/page-authors.json deleted file mode 100644 index 881780d0..00000000 --- a/.cache/plugin/git-committers/page-authors.json +++ /dev/null @@ -1 +0,0 @@ -{"cache_date": "2026-06-10", "page_authors": {"docs/index.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/404.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/CODE_OF_CONDUCT.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/about-docs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/copyright.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/get-help.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/installation.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/intro.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/pmm.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/system-requirements.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/trademark-policy.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/architecture.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/authentication.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/azure.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/cli.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/control-collections.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/deployments.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/endpoint-map.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/filesystem-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/gcs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/minio.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/oci-workload-identity-auth.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/oss.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/pbm-agent.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/s3-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/storage-configuration.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/versions.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/details/workload-identity-auth.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/backup-sharding.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/backup-types.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/comparison.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/incremental-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/known-limitations.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/logical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/multi-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/point-in-time-recovery.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/restore-new-env.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/restore-remapping.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/selective-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/snapshots.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/features/split-merge-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/backup-storage.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/configure-authentication.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/docker.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/initial-setup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/repos.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/secure-credentials-systemd.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/source.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/start-pbm-agent.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/install/tarball.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/automate-s3-access.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/change-nodes.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/configure-remotely.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/logpath.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/overview.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/start-agent-with-config.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/uninstalling.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/manage/upgrading.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/backup-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/config.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/configuration-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/glossary.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/logging-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pbm-agent-config-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pbm-commands.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/pitr-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/reference/restore-options.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/0.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.0.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.1.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.2.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.2.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.2.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.3.4.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.4.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.4.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.6.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.6.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.7.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.8.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/1.8.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.2.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.3.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.4.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.0.5.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.1.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.10.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.11.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.12.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.13.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.14.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.2.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.2.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.3.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.3.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.4.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.4.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.5.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.6.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.7.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.8.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.9.0.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/release-notes/2.9.1.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/index.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/faq.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/pbm-pmm.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/pbm-report.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/restore-partial.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/status.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/troubleshoot/troubleshooting.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-external.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-incremental.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-priority.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/backup-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/cancel-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/compression.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/delete-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/describe-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/list-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/logs.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/oplog-replay.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/pitr-tutorial.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-external-agent-restart.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-external.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-incremental.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-physical.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-progress.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore-selective.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/restore.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/schedule-backup.md": {"last_commit_date": "2026-06-10", "authors": []}, "docs/usage/start-backup.md": {"last_commit_date": "2026-06-10", "authors": []}}} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 4da6fc20..a0962e49 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ venv/ # Local Netlify folder .netlify site +.cache/ styles/ From 67da25ac4fbcb3e6209c2c3372fc772dbb4310cc Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 17:47:56 +0530 Subject: [PATCH 11/23] Update oci-workload-identity-auth.md --- docs/details/oci-workload-identity-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 23affa8e..0ab027e4 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -1,6 +1,6 @@ -# Oracle Cloud Storage using Workload Identity authentication +# Oracle Cloud Storage with Workload Identity Authentication -Workload Identity Federation (WIF) lets workloads authenticate to OCI resources using federated identities rather than static credentials. This eliminates the need to create, rotate, and distribute API keys or service account key files. +Percona Backup for MongoDB (PBM) supports Workload Identity Federation (WIF) for authentication to Oracle Cloud Infrastructure (OCI) Object Storage. With WIF, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI Object Storage, in addition to the default `userPrincipal`: From e4e85486ae326a080d2cb83845c4779b1571de7e Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 18:02:59 +0530 Subject: [PATCH 12/23] Update oci-workload-identity-auth.md --- docs/details/oci-workload-identity-auth.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 0ab027e4..7a9d3d95 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -11,7 +11,7 @@ Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI O ## instancePrincipal -Use this auth type when PBM is running directly on an OCI Compute instance. The instance itself acts as the principal — no credentials file is required. +Choose instancePrincipal when PBM runs directly on an OCI Compute instance. PBM automatically obtains OCI credentials from the instance, eliminating the need for credential files or API keys. ### Before you begin @@ -38,7 +38,7 @@ Follow these steps to set up OCI using **instancePrincipal:** --matching-rule "ANY {instance.id = '$INSTANCE_OCID'}" ``` - Replace the following: + Replace the following variables: | Variable | Description | |---|---| @@ -47,7 +47,7 @@ Follow these steps to set up OCI using **instancePrincipal:** | `INSTANCE_DYNAMIC_GROUP_NAME` | A name for the dynamic group (e.g. `pbm-vm-group`) | | `INSTANCE_OCID` | OCID of the Compute instance running PBM | -2. **Create an IAM policy for the dynamic group** +2. **Create an IAM policy** Grant the dynamic group permission to manage objects in the target bucket: @@ -72,7 +72,7 @@ Follow these steps to set up OCI using **instancePrincipal:** | `BUCKET_NAME` | Name of the OCI Object Storage bucket | | `INSTANCE_POLICY_NAME` | A name for the policy (e.g. `pbm-vm-policy`) | -3. **Configure PBM to use instancePrincipal** +3. **Configure PBM to authentication** In your PBM configuration, set the storage type to `oci` and the credentials type to `instancePrincipal`. No key file or passphrase is needed. @@ -90,7 +90,7 @@ Follow these steps to set up OCI using **instancePrincipal:** ## okeWorkloadIdentity -Use this auth type when PBM is running as a workload inside an OKE enhanced cluster. The Kubernetes service account token is exchanged for OCI credentials automatically by the OKE Workload Identity service. +Choose `okeWorkloadIdentity` when PBM runs as a workload in an Oracle Kubernetes Engine (OKE) enhanced cluster. The Kubernetes service account token is exchanged for OCI credentials automatically by the OKE Workload Identity service. !!! note Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. From ec0514b49afedc56cdc5e168cc453fee8a452163 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:14:10 +0530 Subject: [PATCH 13/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 7a9d3d95..70db0c09 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -95,4 +95,16 @@ Choose `okeWorkloadIdentity` when PBM runs as a workload in an Oracle Kubernetes !!! note Your OKE cluster must be an **enhanced cluster** with Workload Identity enabled. Basic clusters do not support this feature. +In your PBM configuration, set the storage type to `oci` and the credentials type to `okeWorkloadIdentity`: + + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: okeWorkloadIdentity + For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From 19ca476798f31675f57aa337eb4728d862ed9952 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:14:39 +0530 Subject: [PATCH 14/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 70db0c09..b904321a 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -11,7 +11,7 @@ Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI O ## instancePrincipal -Choose instancePrincipal when PBM runs directly on an OCI Compute instance. PBM automatically obtains OCI credentials from the instance, eliminating the need for credential files or API keys. +Choose `instancePrincipal` when PBM runs directly on an OCI Compute instance. PBM automatically obtains OCI credentials from the instance, eliminating the need for credential files or API keys. ### Before you begin From 2a3bc65666f1ba0c231714f6a121b782e53cf240 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:14:57 +0530 Subject: [PATCH 15/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index b904321a..f7d2b47d 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -23,7 +23,7 @@ You need: ### Procedure -Follow these steps to set up OCI using **instancePrincipal:** +Follow these steps to set up OCI using **`instancePrincipal`:** 1. **Create a dynamic group for the instance** From 98918bd35afb76297e1e8c8fea58eb2b165ed175 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:15:16 +0530 Subject: [PATCH 16/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index f7d2b47d..385f1bf8 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -72,7 +72,7 @@ Follow these steps to set up OCI using **`instancePrincipal`:** | `BUCKET_NAME` | Name of the OCI Object Storage bucket | | `INSTANCE_POLICY_NAME` | A name for the policy (e.g. `pbm-vm-policy`) | -3. **Configure PBM to authentication** +3. **Configure PBM authentication** In your PBM configuration, set the storage type to `oci` and the credentials type to `instancePrincipal`. No key file or passphrase is needed. From fc1439f1c08d80d492f19ecc6e0815c7a1aef1a3 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:18:10 +0530 Subject: [PATCH 17/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 385f1bf8..5fb83bcc 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -1,4 +1,4 @@ -# Oracle Cloud Storage with Workload Identity Authentication +# Oracle Cloud Infrastructure (OCI) Object Storage with Workload Identity Authentication Percona Backup for MongoDB (PBM) supports Workload Identity Federation (WIF) for authentication to Oracle Cloud Infrastructure (OCI) Object Storage. With WIF, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. From fc035aa4f89db4ffab8205741ca8cea72d403067 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:18:39 +0530 Subject: [PATCH 18/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 5fb83bcc..4e5a153f 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -97,14 +97,15 @@ Choose `okeWorkloadIdentity` when PBM runs as a workload in an Oracle Kubernetes In your PBM configuration, set the storage type to `oci` and the credentials type to `okeWorkloadIdentity`: - storage: - type: oci - oci: - region: - namespace: - bucket: - prefix: - credentials: - type: okeWorkloadIdentity - +~~~yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: okeWorkloadIdentity +~~~ For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From c2132a2d400befd6e35d8255c82549cd7871cb81 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 14:53:30 +0000 Subject: [PATCH 19/23] Add OCI storage docs to configuration reference and setup matrix --- docs/install/backup-storage.md | 14 +++++++ docs/reference/configuration-options.md | 51 ++++++++++++++++++++++++- 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/docs/install/backup-storage.md b/docs/install/backup-storage.md index 56b10c0f..e6702c61 100644 --- a/docs/install/backup-storage.md +++ b/docs/install/backup-storage.md @@ -81,6 +81,20 @@ Percona Backup for MongoDB needs its own dedicated S3 bucket exclusively for bac key: ``` + === ":material-database: OCI Object Storage" + + ```yaml + storage: + type: oci + oci: + region: us-ashburn-1 + namespace: your-namespace + bucket: your-bucket-name + prefix: data/pbm/backup + credentials: + type: instancePrincipal + ``` + === "Alibaba Cloud Storage" ```yaml diff --git a/docs/reference/configuration-options.md b/docs/reference/configuration-options.md index 7a18330c..375ea3e3 100644 --- a/docs/reference/configuration-options.md +++ b/docs/reference/configuration-options.md @@ -7,7 +7,7 @@ *Type*: string
*Required*: YES -Remote backup storage type. Supported values: `s3`, `minio`, `gcs`, `filesystem`, `azure`. +Remote backup storage type. Supported values: `s3`, `minio`, `gcs`, `filesystem`, `azure`, `oci`. ## AWS S3 storage options @@ -679,6 +679,55 @@ The minimum time to wait before the next retry, specified as a `time.Duration`. The maximum time to wait before the next retry, specified as a `time.Duration`. Units like ms, s, etc., are supported. Defaults to nanoseconds if no unit is provided. +## OCI Object Storage options + +```yaml +storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: userPrincipal +``` + +### storage.oci.region + +*Type*: string
+*Required*: YES + +The region where your OCI Object Storage bucket is located. + +### storage.oci.namespace + +*Type*: string
+*Required*: YES + +The Object Storage namespace for your tenancy. + +### storage.oci.bucket + +*Type*: string
+*Required*: YES + +The name of the OCI Object Storage bucket. + +### storage.oci.prefix + +*Type*: string
+*Required*: NO + +The path prefix inside the bucket where PBM stores backup data. + +### storage.oci.credentials.type + +*Type*: string
+*Required*: YES + +The OCI authentication type. Supported values: `userPrincipal`, `instancePrincipal`, `okeWorkloadIdentity`. + ## Alibaba Cloud OSS storage options ```yaml From 703e0f6b9d86e1742d502091500ae08189a995c3 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Wed, 10 Jun 2026 20:29:48 +0530 Subject: [PATCH 20/23] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/details/oci-workload-identity-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 4e5a153f..9b9aa2a8 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -1,8 +1,8 @@ # Oracle Cloud Infrastructure (OCI) Object Storage with Workload Identity Authentication -Percona Backup for MongoDB (PBM) supports Workload Identity Federation (WIF) for authentication to Oracle Cloud Infrastructure (OCI) Object Storage. With WIF, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. +Percona Backup for MongoDB (PBM) supports Workload Identity authentication for Oracle Cloud Infrastructure (OCI) Object Storage. With Workload Identity, PBM can access OCI resources without storing or managing API keys, reducing operational overhead and improving security. -Percona Backup for MongoDB (PBM) supports two WIF authentication types for OCI Object Storage, in addition to the default `userPrincipal`: +Percona Backup for MongoDB (PBM) supports two Workload Identity authentication types for OCI Object Storage, in addition to the default `userPrincipal`: | Auth type | When to use | |---|---| From e602e38f0e6b19b9ebdd480b9a288a59a2aa752b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 10 Jun 2026 15:04:06 +0000 Subject: [PATCH 21/23] Use backtick YAML fence in OCI workload identity doc --- docs/details/oci-workload-identity-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 9b9aa2a8..d9e207ca 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -97,7 +97,7 @@ Choose `okeWorkloadIdentity` when PBM runs as a workload in an Oracle Kubernetes In your PBM configuration, set the storage type to `oci` and the credentials type to `okeWorkloadIdentity`: -~~~yaml +```yaml storage: type: oci oci: @@ -107,5 +107,5 @@ storage: prefix: credentials: type: okeWorkloadIdentity -~~~ +``` For setup instructions, see [Configure OKE Workload Identity for workloads :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm){:target="_blank"}. \ No newline at end of file From e1409ab5efe729d227bbfdd08cbeef97fdf88c2a Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:32:11 +0530 Subject: [PATCH 22/23] Update oci-workload-identity-auth.md --- docs/details/oci-workload-identity-auth.md | 64 +++++++++++++++++++++- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index d9e207ca..15be0467 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -6,8 +6,68 @@ Percona Backup for MongoDB (PBM) supports two Workload Identity authentication t | Auth type | When to use | |---|---| -| `instancePrincipal` | PBM is running on a virtual machine inside OCI | -| `okeWorkloadIdentity` | PBM is running inside an OKE enhanced cluster | +|`userPrincipal`|PBM is running anywhere — on-premises, on other clouds, or on OCI| +| `instancePrincipal`| PBM is running on a virtual machine inside OCI | +| `okeWorkloadIdentity`| PBM is running inside an OKE enhanced cluster| + +## userPrincipal + +Choose `userPrincipal` when PBM runs outside OCI, or when you want a single authentication approach that works in any environment. PBM authenticates using an OCI user account and an API signing key. + +### Before you begin + +You need: + +- An OCI user account with access to the target bucket +- An [API signing key pair :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm){:target="_blank"} (private key file and its fingerprint) +- The [Oracle Cloud Identifier (OCID) :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the user and tenancy +- The name of the OCI bucket PBM will use for backups + +### Procedure + +1. Create an IAM policy + Grant the user permission to manage objects in the target bucket: + ```sh + oci iam policy create \ + --region "$HOME_REGION" \ + --compartment-id "$TENANCY_OCID" \ + --name "$USER_POLICY_NAME" \ + --description "Allow PBM user to access $BUCKET_NAME" \ + --statements "[\"Allow group $USER_GROUP_NAME to manage objects in compartment $COMPARTMENT_NAME where target.bucket.name = '$BUCKET_NAME'\"]" + ``` + +Replace the following variables: + +| Variable | Description | +|---|---| +| `HOME_REGION` | Your tenancy's home region (e.g. `us-ashburn-1`) | +| `TENANCY_OCID` | OCID of your OCI tenancy | +| `USER_POLICY_NAME` | A name for the policy (e.g. `pbm-user-policy`) | +| `USER_GROUP_NAME` | The IAM group the PBM user belongs to | +| `COMPARTMENT_NAME` | Name of the compartment containing the bucket | +| `BUCKET_NAME` | Name of the OCI Object Storage bucket | + +2. Configure PBM authentication + + In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the path to the private key file and its passphrase if one was set during key generation. + + ```yaml + storage: + type: oci + oci: + region: + namespace: + bucket: + prefix: + credentials: + type: userPrincipal + userPrincipal: + tenancy: + user: + fingerprint: + key: + passphrase: + ``` ## instancePrincipal From 694d98e50360959984e6cec336de2ea8770d549d Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Fri, 12 Jun 2026 14:51:52 +0530 Subject: [PATCH 23/23] Update oci-workload-identity-auth.md --- docs/details/oci-workload-identity-auth.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/oci-workload-identity-auth.md b/docs/details/oci-workload-identity-auth.md index 15be0467..7bd6b835 100644 --- a/docs/details/oci-workload-identity-auth.md +++ b/docs/details/oci-workload-identity-auth.md @@ -78,8 +78,7 @@ Choose `instancePrincipal` when PBM runs directly on an OCI Compute instance. PB You need: - The [Oracle Cloud Identifier (OCID) :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/identifiers.htm#Oracle){:target="_blank"} of the OCI Compute instance running PBM -- The name of the OCI bucket PBM will use for backups -- A home region, tenancy OCID, and compartment name with sufficient IAM privileges to create dynamic groups and policies +- The name of the OCI bucket PBM will use for backups. ### Procedure