We’re experiencing backup failures for our Autonomous Database when trying to write to Object Storage. The error message shows ‘AccessDenied’ and backups have been failing for the past 48 hours, which is creating compliance issues.
Our setup uses a dedicated object storage bucket with a dynamic group for the ADB instance. The bucket policy was recently updated to restrict public access, and that’s when the backups started failing. We’ve verified the bucket exists and the ADB service can reach it, but the permission issue persists.
Has anyone encountered this specific issue with OCI bucket policies and Autonomous Database backup integration? I’m particularly concerned about the dynamic group permissions and whether the policy syntax needs special consideration for automated backups.
The ‘use object-family’ permission is too broad and might not work correctly with bucket-level policies. For ADB backups specifically, you need to grant ‘manage objects’ permission to the dynamic group at the bucket level. Also, make sure your policy is in the correct compartment - it should be where either the bucket or the dynamic group resides.
Thanks for the quick response. I checked the dynamic group and it does include our ADB instance with the correct matching rule. However, I’m not entirely sure about the bucket policy syntax. We have a policy that allows the dynamic group to use object-family, but maybe that’s not specific enough for backup operations?
I’ve seen this before. The issue is usually that the bucket policy doesn’t explicitly allow the dynamic group to perform object writes. When you restricted public access, did you add a statement that allows your ADB’s dynamic group?
Check if your dynamic group includes the ADB instance using a matching rule like: `ALL {resource.type=‘autonomousdatabase’, resource.compartment.id=‘your-compartment-ocid’}
Then verify the bucket policy has a statement allowing that dynamic group to manage objects. The AccessDenied error specifically points to missing permissions at the bucket level.