Adding Key Permissions
To use an OCI Generative AI API key, grant permission through tenancy-level or compartment-level IAM policies.
These policies use any-user as the subject to allow access for any authenticated principal in the tenancy (including users, instance principals, and resource principals), but the WHERE clause restricts it to requests where the principal type is generativeaiapikey (matching the API key). With this policy the Generative AI service can authenticate and process API calls using the key without broader access.
For finer control, substitute any-user with group <group-name> to limit the policy to members of a specific group (for example, only allowing users in that group to invoke the API with the key).
Customize policies by scope (compartment or tenancy), granularity (any key compared with a specific one), model restrictions, or operation types (for example, chat only). Use the Policy Builder tool for simplicity. Create policies before generating the key if authorizing all keys in a compartment or for certain models, create the key first (to obtain its OCID) if limiting to a specific key.
Broad Permissions: Authorize Any API Key
With no OCID required, this option is ideal for general access before or after key creation (add this policy before using keys).
- In a Specific Compartment
-
allow any-user to use generative-ai-family in compartment <compartment-name> where ALL {request.principal.type='generativeaiapikey'} - In the Entire Tenancy
-
allow any-user to use generative-ai-family in compartment <compartment-name> where ALL {request.principal.type='generativeaiapikey', target.model.id in('<model-1>', 'model-2') }
Specific Permissions: Authorize a Single API Key
Generate the key first, retrieve its OCID (starts with ocid1.generativeaiapikey.<region-realm>.<region-name>), then apply the policy. See Getting an API Key's Details for finding the OCID.
- In a Specific Compartment
-
allow any-user to use generative-ai-family in compartment <compartment-name> where ALL {request.principal.type='generativeaiapikey', request.principal.id='<your-api-key-OCID>'}
- In the Entire Tenancy
-
allow any-user to use generative-ai-family in tenancy where ALL {request.principal.type='generativeaiapikey', request.principal.id='<your-api-key-OCID>'}
Restricted Permissions: Limit to Models or Operations
For added security, narrow access to specific models or endpoints (find model IDs in model cards or endpoint IDs in endpoint details, for example, xai.grok-4 for xAI Grok 4. See Supported Models). Use generative-ai-family for full access or generative-ai-chat to restrict to chat endpoints only (excluding embed, rerank, model updates, or AI clusters). See Getting Access to Generative AI.
- Any Key in a Compartment for Specific Models or Endpoints (Full Read and Update Access)
-
allow any-user to use generative-ai-family in compartment <compartment-name> where ALL {request.principal.type='generativeaiapikey', target.model.id in('<model-1>', 'model-2') } - Any Key in a Compartment for Specific Models or Endpoints (Chat Only):
-
allow any-user to use generative-ai-chat in compartment <compartment-name> where ALL {request.principal.type='generativeaiapikey', target.model.id in('<model-1>', 'model-2') }
More Help
For IAM policy syntax and best practices, see Writing Policy Statements with the Policy Builder.