Question: 1/50
A security administrator wants to ensure a specific group of compute instances can read secrets from OCI Vault, without allowing any user access from the console. Which approach best meets this requirement?
Create a dynamic group matching the instances and write an IAM policy allowing the dynamic group to read secrets in the target compartment
Create a user group, add the instance OCIDs as members, and write a policy allowing the user group to read secrets
Store the secrets in Object Storage and use a pre-authenticated request (PAR) so instances can download them
Use a tag-based policy that grants all principals in the tenancy permission to read secrets when a tag is present