thanos-io · yeya24 · Nov 30, 2022 · Nov 30, 2022
diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -102,7 +102,7 @@ See up to date [jsonnet mixins](https://github.com/thanos-io/thanos/tree/main/mi
 ## Blog posts
 
 * 2022:
-
+  * [Deploy Thanos Receive with native OCI Object Storage on Oracle Kubernetes Engine](https://medium.com/@lmukadam/deploy-thanos-receive-with-native-oci-object-storage-on-kubernetes-829326ea0bc6)
   * [Leveraging Consul for Thanos Query Discovery](https://nicolastakashi.medium.com/leveraging-consul-for-thanos-query-discovery-34212d496c88)
 
 * 2021:

diff --git a/docs/storage.md b/docs/storage.md
@@ -513,11 +513,11 @@ config:
 prefix: ""
 ```
 
-### Oracle Cloud Infrastructure Object Storage
+#### Oracle Cloud Infrastructure Object Storage
 
 To configure Oracle Cloud Infrastructure (OCI) Object Storage as Thanos Object Store, you need to provide appropriate authentication credentials to your OCI tenancy. The OCI object storage client implementation for Thanos supports either the default keypair or instance principal authentication.
 
-#### API Signing Key
+##### API Signing Key
 
 The default API signing key authentication provider leverages same [configuration as the OCI CLI](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm) which is usually stored in at `$HOME/.oci/config` or via variable names starting with the string `OCI_CLI`. If the same configuration is found in multiple places the provider will prefer the first one.
 
@@ -545,7 +545,7 @@ config:
     client_timeout: 90s           // Optional time limit for requests made by the HTTP Client.
 ```
 
-#### Instance Principal Provider
+##### Instance Principal Provider
 
 For Example:
 
@@ -559,7 +559,7 @@ config:
 
 You can also include any of the optional configuration just like the example in `Default Provider`.
 
-#### Raw Provider
+##### Raw Provider
 
 For Example:
 
@@ -579,6 +579,24 @@ config:
 
 You can also include any of the optional configuration just like the example in `Default Provider`.
 
+##### OCI Policies
+
+Regardless of the method you use for authentication (raw, instance-principal), you need the following 2 policies in order for Thanos (sidecar or receive) to be able to write TSDB to OCI object storage. The difference lies in whom you are giving the permissions.
+
+For using instance-principal and dynamic group:
+
+```
+Allow dynamic-group thanos to read buckets in compartment id ocid1.compartment.oc1..a
+Allow dynamic-group thanos to manage objects in compartment id ocid1.compartment.oc1..a
+```
+
+For using raw provider and an IAM group:
+
+```
+Allow group thanos to read buckets in compartment id ocid1.compartment.oc1..a
+Allow group thanos to manage objects in compartment id ocid1.compartment.oc1..a
+```
+
 ### How to add a new client to Thanos?
 
 objstore.go
-Original file line number
+Diff line change
@@ Expand Up @@
     ## Blog posts
     * 2022:
+      * [Deploy Thanos Receive with native OCI Object Storage on Oracle Kubernetes Engine](https://medium.com/@lmukadam/deploy-thanos-receive-with-native-oci-object-storage-on-kubernetes-829326ea0bc6)
       * [Leveraging Consul for Thanos Query Discovery](https://nicolastakashi.medium.com/leveraging-consul-for-thanos-query-discovery-34212d496c88)
     * 2021:
@@ Expand Down @@