OCI SDK Authentication Methods
- API key-based authentication
- Session token-based authentication
- Instance principal
- Resource principal
This section discusses each method in detail and provides examples.
API Key-Based Authentication
In this authentication method, you create a configuration file and store it on the local disk. The configuration file contains details such as the user OCID, tenancy OCID, region, private key path, and fingerprint. This authentication method creates a permanent configuration file on your machine. It should be used if you are working from a secure network and are comfortable storing private keys and configuration locally.
The following section shows examples of API key-based authentication.
You can use the following CLI commands to set up API key-based authentication:
"oci setup bootstrap": This command helps to set up a configuration file. You can login via a browser and your configuration file is automatically created and uploaded to the console. For more details, see oci setup bootstrap
"oci setup config": This command helps to set up a configuration file from a command line session without browser support via an interactive CLI command which prompts you for information (including a user OCID, a tenancy OCID, and region name) and create a private key. Once the file is created, you need to upload your public key to the console. For more information, see oci setup config
Session Token-Based Authentication
Using session-token-based authentication, you create a local configuration file that contains information including the user OCID, tenancy OCID, region, private key path and a temporary session token file path. This method uses this information along with the temporary session token, which expires in an hour (by default). Session token-based authentication can be used when you need quick, temporary authentication.
The following section shows examples of session token-based authentication.
You can use the following CLI command to set up session token-based authentication:
"oci session authenticate":This command sets a temporary session token. Sign in via a browser, and a session configuration file is automatically created that you can use to authenticate until the session expires (by default, expiration is in 60 minutes). After the session expires, you need to refresh the session token. For more information, see oci session authenticate.
Instance Principal Authentication
Using instance principal authentication, you can authorize an instance to make API calls on Oracle Cloud Infrastructure services. After you set up the required resources and policies, an application running on an instance can call Oracle Cloud Infrastructure public services, removing the need to configure user credentials or a configuration file. For more details, see instance principal.
Instance principal authentication can be used from an instance or VM where you don't want to store a configuration file.
The following section shows examples of instance principal authentication.
You can use the following CLI command to set up instance principal-based authentication:
"oci setup instance-principal" : This command helps you to set up instance principal authentication on an existing instance from a machine where you already have OCI CLI authentication configured. For example, you can run this command from Cloud Shell (which is authenticated using a delegation token) to set up instance principal on an instance. For more information, see oci setup instance-principal.
To setup instance principal dynamic groups and policies manually, see Calling Services from Instances.
Resource Principal Authentication
Resource principal authentication is very similar to instance principal authentication, but is intended to be used for resources that are not instances, such as server-less functions.
The following section shows examples of resource principal authentication.
Example not available.