# Resource sharing in Oracle Database@AWS
With Oracle Database@AWS, you can share Exadata infrastructure and your ODB network across multiple AWS accounts in the same AWS organization. This enables you to provision infrastructure once and reuse it across trusted accounts, allowing you to reduce costs while separating responsibilities.
When you share resources:
+ The account that owns the resource (owner account) maintains control over the resource lifecycle.
+ Accounts that receive access to shared resources (trusted accounts) can view and use these resources based on the permissions granted.
+ Trusted accounts can create their own resources on shared infrastructure but cannot delete the underlying shared resources.
## Oracle Database@AWS integration with AWS RAM
Oracle Database@AWS uses AWS Resource Access Manager (AWS RAM) to enable secure, controlled sharing of resources across accounts. With AWS RAM, you can securely share your Oracle Database@AWS resources across multiple AWS accounts within the same AWS organization. AWS RAM simplifies resource sharing, reduces operational overhead, and provides security and visibility into shared Oracle Database@AWS resources.
With AWS RAM, you share resources that you own by creating a *resource share*. A resource share specifies the resources to share, and the AWS accounts with whom to share them.
## Benefits of resource sharing in Oracle Database@AWS
Sharing Oracle Database@AWS resources across accounts provides the following benefits:
+ **Cost optimization** – Provision expensive Exadata infrastructure once through an administrative account and share it with multiple accounts, reducing overall costs.
+ **Separation of responsibilities** – Maintain clear boundaries between infrastructure administrators and database users while allowing collaboration.
+ **Simplified management** – Centralize infrastructure provisioning and management while enabling distributed database operations.
+ **Consistent governance** – Apply consistent policies and controls across shared resources.
For example, an administrator can provision the Oracle Exadata infrastructure and ODB network in their AWS account and share it with developer accounts. Developers can then create VM clusters on this shared infrastructure without needing to provision their own expensive hardware. This approach significantly reduces costs while maintaining proper separation of responsibilities between accounts.
## How resource sharing works in Oracle Database@AWS
You can share the following Oracle Database@AWS resources:
+ Oracle Exadata infrastructure
+ ODB network
Oracle Database@AWS shares the preceding resources through the following process:
1. The buyer account (the account that accepts the Oracle Database@AWS private offer via AWS Marketplace) provisions Oracle Database@AWS resources, such as Exadata infrastructure and an ODB network.
1. The buyer account creates a resource share using AWS RAM, specifying the resources to share and the trusted accounts to share them with.
1. The resource shares for the trusted accounts within the same organization are accepted automatically.
1. Before using shared resources, trusted accounts must initialize the Oracle Database@AWS service in their account by using the `aws odb initialize-service` command or by choosing **Activate account** in the Oracle Database@AWS console.
1. After initialization, trusted accounts can create their own resources on the shared infrastructure, such as VM clusters on shared Exadata infrastructure and ODB network.
## Permissions on shared resources for trusted accounts
When you share resources, Oracle Database@AWS automatically selects specific actions (managed permissions) for each resource type:
**For Exadata infrastructure**
Oracle Database@AWS grants the following permissions to trusted accounts:
+ `odb:CreateCloudVmCluster`
+ `odb:CreateCloudAutonomousVmCluster`
+ `odb:GetCloudExadataInfrastructure`
+ `odb:ListCloudExadataInfrastructures`
+ `odb:GetCloudExadataInfrastructureUnallocatedResources`
+ `odb:ListDbServers`
+ `odb:GetDbServer`
+ `odb:ListCloudVmClusters`
+ `odb:ListCloudAutonomousVmClusters`
**For ODB network**
The following permissions are granted to trusted accounts:
+ `odb:CreateCloudVmCluster`
+ `odb:CreateCloudAutonomousVmCluster`
+ `odb:GetOdbNetwork`
+ `odb:ListOdbNetworks`
+ `odb:CreateOdbPeeringConnection`
+ `odb:ListOdbPeeringConnections`
Resource sharing respects the hierarchical nature of Oracle Database@AWS resources. For example, if you share Exadata infrastructure, trusted accounts can create VM clusters on this infrastructure, but they can't modify or delete the Exadata infrastructure itself.
When a resource is unshared, trusted accounts lose the ability to create new resources on the shared infrastructure. However, any resources they've already created remain accessible and functional.
## Limitations for Oracle Database@AWS resource sharing
Before sharing resources, keep the following limitations in mind.
### Limitations for sharing resources
When sharing Oracle Database@AWS resources, keep in mind the following limitations:
+ You can share resources only with AWS account IDs.
+ You can share resources only for AWS accounts within the same AWS organization.
+ You share resources within a specific AWS Region. To share resources across Regions, you must create separate resource shares in each Region.
+ When you create a resource share, the actions (managed permissions) for each resource type are automatically selected and can't be modified.
+ You can't use Oracle Database@AWS as a resource and share with other AWS accounts.
+ A trusted account can use shared resources from only one buyer account (from one private offer). Thus, two buyer accounts can't share resources with the same trusted account.
+ A buyer account can't share resources with another buyer account.
+ Resources shared with a trusted account must be shared by the buyer account in the buyer's [home region](https://docs.oracle.com/en/cloud/foundation/cloud_architecture/governance/regions.html#home-region) first.
+ When you unshare a resource, we recommend that you wait approximately 15 minutes before resharing the same resource with the same trusted account.
### Limitations for creating and using shared resources
When creating or using Oracle Database@AWS resources, keep in mind the following limitations:
+ Only the buyer account can create Exadata infrastructure and ODB network resources. The buyer account is the one that accepts the Oracle Database@AWS private offer.
+ Trusted accounts can create resources only on Exadata infrastructure shared by the buyer account.
+ Trusted accounts must initialize the Oracle Database@AWS service in their account before they can use shared resources.
### Limitations for deleting shared resources
+ You can't delete Exadata infrastructure that has VM clusters created by trusted accounts until those VM clusters are removed.
+ You can't delete an ODB network that has an ODB peering connection created by a trusted account until the ODB peering connection has been removed.
+ The buyer account can't delete Oracle Database@AWS resources created by trusted accounts.
+ Trusted accounts can view shared resources but can't modify or delete Oracle Database@AWS resources owned by the buyer account.
# Sharing Oracle Database@AWS resources across accounts
To enable collaboration while optimizing costs, share Oracle Database@AWS resources with other AWS accounts within the same AWS organization. This topic explains how to share resources using AWS Resource Access Manager (AWS RAM).
**Topics**
+ [Prerequisites for sharing resources](#sharing-resources-prerequisites)
+ [Sharing Oracle Database@AWS resources with another account using AWS RAM](#sharing-exadata-infrastructure)
+ [Viewing your resource shares](#viewing-resource-shares)
+ [Updating or deleting resource shares using AWS RAM](#unsharing-resources)
## Prerequisites for sharing resources
Before you share Oracle Database@AWS resources, make sure that you have the following:
+ An active Oracle Database@AWS subscription (you must be the buyer account that accepted the private offer through AWS Marketplace)
+ The IDs or names of the resources you want to share, such as Exadata infrastructure or ODB networks
+ The IDs of the AWS accounts in your organization that you want to share resources with
+ Necessary permissions to create resource shares in AWS RAM
+ The ability to share resources with AWS Organizations using AWS RAM (for more information, see [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS Resource Access Manager User Guide*)
## Sharing Oracle Database@AWS resources with another account using AWS RAM
To share an Exadata infrastructure or ODB network with another AWS account, you create a resource share using AWS RAM. This allows the trusted account to create VM clusters on your Exadata infrastructure.
### Console
1. Open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. Choose **Create resource share**.
1. For **Name**, enter a descriptive name for your resource share.
1. Under **Select resource type**, either of the following resources:
+ **Oracle Database@AWS ODB network**
+ **Oracle Database@AWS Exadata Infrastructure**
1. Select the Exadata infrastructure resources you want to share. Choose Next until you get to **Grant access to principals**.
1. Under **Principals**, choose **AWS accounts**, and then enter the AWS account IDs you want to share with.
1. Under **Managed permissions**, select the following permissions to allow the trusted account to create VM clusters on the shared Exadata infrastructure:
+ **AWSRAMDefaultPermissionODBNetwork**
+ **AWSRAMDefaultPermissionODBCloudExadataInfrastructure**
1. Choose **Create resource share**.
### AWS CLI
To share resources using the AWS CLI, use the `aws ram create-resource-share` command. The following example creates a resource share named `ExadataInfraShare` that shares the specified Exadata infrastructure with account 222222222222, allowing this account to create VM clusters on the shared infrastructure.
```
aws ram create-resource-share --region us-east-1 \
--name "ExadataInfraShare" \
--resource-arns arn:aws:odb:us-east-1:111111111111:cloud-exadata-infrastructure/exa_infra_1 \
--principals 222222222222
```
## Viewing your resource shares
To view the resources you've shared and the accounts you've shared them with:
### Console
1. Open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. Choose **Shared resources** to view resources you've shared with other accounts.
1. Select a resource share to view its details, including the resources shared and the principals they're shared with.
### AWS CLI
To view your resource shares using the AWS CLI, use the `get-resource-shares` command:
```
aws ram get-resource-shares --resource-owner SELF
```
To view the resources in a specific resource share, use the `list-resources` command:
```
aws ram list-resources \
--resource-owner SELF \
--resource-share-arns arn:aws:ram:us-east-1:111111111111:resource-share/12345678-abcd-1234-efgh-111111111111
```
To view the principals (accounts) that a resource share is shared with, use the `list-principals` command:
```
aws ram list-principals \
--resource-owner SELF \
--resource-share-arns arn:aws:ram:us-east-1:111111111111:resource-share/12345678-abcd-1234-efgh-111111111111
```
## Updating or deleting resource shares using AWS RAM
To stop sharing a resource with a trusted account using AWS RAM, take any of the following actions:
+ Remove the resource from the resource share.
+ Remove the trusted account from the resource share.
+ Delete the resource share.
Before you revoke access to or delete a shared resource, consider the following implications:
+ Trusted accounts can no longer create new resources on the unshared infrastructure.
+ Existing resources created by trusted accounts on the shared Exadata infrastructure continue to function and remain accessible to those AWS accounts.
+ You can't delete Exadata infrastructure that has VM clusters created by trusted accounts until those VM clusters are removed.
Before unsharing resources, we recommend that you coordinate with the trusted accounts to ensure a smooth transition.
For more information, see [Update a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) and [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) in the *AWS Resource Access Manager User Guide*.
# Initializing Oracle Database@AWS in a trusted account
A trusted account is an AWS account that you designate as eligible to receive resource shares. It must be another individual AWS account in your AWS organization. Before you can use shared Oracle Database@AWS resources in a trusted account, you must initialize the service. Initialization creates the necessary metadata and establishes the connection between your AWS account and Oracle Cloud Infrastructure.
**Topics**
+ [What is Oracle Database@AWS initialization?](#initialize-service-overview)
+ [Next steps](#initialize-service-next-steps)
## What is Oracle Database@AWS initialization?
After a resource has been shared with your account, you must initialize the Oracle Database@AWS service before you can access or use the shared resource. If you try to use Oracle Database@AWS APIs without initializing the service first, you receive an error.
Initialization is a one-time process. It creates the necessary metadata and establishes a connection between your AWS account and Oracle Cloud Infrastructure.
You can initialize the service using either the AWS Management Console or the AWS CLI.
## Console
1. Open the Oracle Database@AWS console at [https://console.aws.amazon.com/odb/](https://console.aws.amazon.com/odb/).
1. If this is your first time accessing the Oracle Database@AWS console in this account, you see a welcome page.
1. Choose **Activate account**.
1. The service initialization process begins. This process might take a few minutes to complete.
1. Refresh the welcome page periodically until the **Activate account** button changes to the **Dashboard** button.
1. Choose **Dashboard** to begin using Oracle Database@AWS.
## AWS CLI
To initialize Oracle Database@AWS in your trusted account using the AWS CLI, use the `initialize-service` command.
```
aws odb initialize-service
```
To check the initialization status, use the `get-oci-onboarding-status` command.
```
aws odb get-oci-onboarding-status
```
When initialization is complete, the output shows a status of `ACTIVE_LIMITED`, indicating that your account can access shared resources but can't create a new Exadata infrastructure or ODB network.
## Next steps
After you initialize Oracle Database@AWS in your trusted account, you can do the following:
+ View shared resources using the `list` and `get` commands or in the AWS console.
+ Create VM clusters and Autonomous VM clusters on a shared Exadata infrastructure and ODB network.
+ Create an ODB peering connection on a shared ODB network.
For more information about working with shared resources, see [Working with shared Oracle Database@AWS resources in a trusted account](working-with-shared-resources.md).
# Working with shared Oracle Database@AWS resources in a trusted account
After a resource has been shared with your trusted account and you've initialized the Oracle Database@AWS service, you can view and use the shared resource. This topic explains how to work with shared resources in a trusted account.
**Topics**
+ [Limitations for shared resources in a trusted account](#limitations-shared-resources)
+ [Creating VM clusters on shared Exadata infrastructure](#creating-vm-clusters)
+ [Viewing shared resources in a trusted account](#viewing-shared-resources)
+ [Setting up ODB peering with shared ODB networks](#network-peering-shared)
## Limitations for shared resources in a trusted account
When working with shared Oracle Database@AWS resources, be aware of the following limitations:
+ Resource sharing is supported only within the same AWS organization.
+ Only the buyer account (the account that accepts the Oracle Database@AWS private offer) can create Exadata infrastructure and ODB network resources.
+ You can create resources only on shared infrastructure and only if you have the necessary permissions.
+ The specific actions (managed permissions) for each resource type are automatically selected during resource share creation and can't be modified.
+ You can't modify or delete resources owned by another account.
+ Resources that you create on shared infrastructure are owned by your account and count toward your OCI quotas. The same applies to parent resources.
+ If the owner account unshares a resource, you can no longer create new resources on this shared infrastructure. However, your existing resources continue to function.
+ Cross-Region resource sharing isn't supported. You can only share resources within the same AWS Region.
+ Trusted account resources are billed to the buyer of the Oracle Database@AWS subscription.
+ When using a resource that is shared, you must provide the Amazon Resource Name (ARN).
## Creating VM clusters on shared Exadata infrastructure
If your trusted account has access to a shared Exadata infrastructure and ODB network, you can create Exadata VM clusters, Autonomous VM clusters, or ODB peerings on this infrastructure.
**Note**
When using a resource that is shared to you, instead of only specifying the resource ID, you must specifying the Amazon Resource Name (ARN).
### Console
1. Open the Oracle Database@AWS console at [https://console.aws.amazon.com/odb/](https://console.aws.amazon.com/odb/).
1. In the navigation pane, choose **Exadata VM clusters** or **Autonomous VM clusters**.
1. Choose **Create VM cluster** or **Create Autonomous VM cluster**.
1. For **Exadata infrastructure**, select the shared Exadata infrastructure on which you want to create the VM cluster.
1. Complete the remaining fields as required for your VM cluster configuration.
1. Choose **Create VM cluster** or **Create Autonomous VM cluster**.
### AWS CLI
To create a VM cluster on shared Exadata infrastructure using the AWS CLI, use the `create-cloud-vm-cluster` command:
```
aws odb create-cloud-vm-cluster --region us-east-1 \
--cloud-exadata-infrastructure-id arn:aws:odb:us-east-1:111111111111:cloud-exadata-infrastructure/exa_aaaaaaaaaa \
--odb-network-id arn:aws:odb:us-east-1:111111111111:odb-network/odbnet_aaaaaaaaaa \
--cpu-core-count 4 \
--display-name "Shared-VMC-1" \
--gi-version "19.0.0.0" \
--hostname "vmchost" \
--ssh-public-keys "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ..." \
```
To create an Autonomous VM cluster on shared Exadata infrastructure using the AWS CLI, use the `create-cloud-vm-cluster` command:
```
aws odb create-cloud-autonomous-vm-cluster --region us-east-1 \
--cloud-exadata-infrastructure-id arn:aws:odb:us-east-1:111111111111:cloud-exadata-infrastructure/exa_aaaaaaaaaa \
--odb-network-id arn:aws:odb:us-east-1:111111111111:odb-network/odbnet_aaaaaaaaaa\
--display-name "Shared-AVMC-1" \
--autonomous-data-storage-size-in-tbs 8 \
--cpu-core-count-per-node 16
```
The VM cluster is created on the specified shared Exadata infrastructure and is owned by your trusted account.
## Viewing shared resources in a trusted account
You can view resources that have been shared with your account using the AWS Management Console or the AWS CLI.
### Console
1. Open the Oracle Database@AWS console at [https://console.aws.amazon.com/odb/](https://console.aws.amazon.com/odb/).
1. In the navigation pane, choose the resource type you want to view: **Exadata infrastructure** or **ODB network**.
1. The console displays resources shared with you.
1. Select a shared resource to view its details.
### AWS CLI
To view shared resources using the AWS CLI, use the appropriate `list` command for the resource type. For example, to list Exadata infrastructure:
```
aws odb list-cloud-exadata-infrastructures
```
The response shows resources shared with you.
To get detailed information about a specific shared resource, use the appropriate `get` command with the resource ID:
```
aws odb get-cloud-exadata-infrastructure --cloud-exadata-infrastructure-id exa_infra_1
```
## Setting up ODB peering with shared ODB networks
To enable communication between your applications and databases on shared ODB networks, you can set up ODB peering between your VPC and the shared ODB network. For more information about ODB peering, see [Creating an ODB peering connection in Oracle Database@AWS](configuring.md#network-peering).
### Console
1. Open the Oracle Database@AWS console at [https://console.aws.amazon.com/odb/](https://console.aws.amazon.com/odb/).
1. In the navigation pane, choose **ODB peering**.
1. Choose **Create ODB network peering**.
1. For **ODB network**, select the shared ODB network you want to peer with.
1. For **Peer network**, select your VPC.
1. Choose **Create ODB network peering**.
### AWS CLI
To create a network peering connection between your VPC and a shared ODB network using the AWS CLI, use the `create-odb-peering-connection` command.
```
aws odb create-odb-peering-connection \
--odb-network-id odbnet_1234567890abcdef \
--peer-network-id vpc-abcdef1234567890
```
After creating the peering connection, update your route tables to enable traffic between the peered networks.
```
aws ec2 create-route \
--route-table-id rtb-1234567890abcdef \
--destination-cidr-block 10.0.0.0/16 \
--odb-network-arn arn:aws:odb:us-east-1:111111111111:odb-network/odbnet_1234567890abcdef
```