Oracle Cloud Infrastructure Documentation

Manage Credentials

You can create credentials, list credentials, or delete credentials in your Autonomous Database.

  • Create Credentials to Access Cloud Services
    To access services in the Cloud, such as Cloud Object Store, you first need to create credentials in your Autonomous Database.
  • Create Credentials to Access Cloud Services in Cloud Shell
    Use Cloud Shell to run a script that creates OCI Native Credentials and Auth Token in your Autonomous Database.
  • List Credentials
    DBMS_CLOUD provides the ability to store credentials using the procedure DBMS_CLOUD.CREATE_CREDENTIAL. You can list credentials from the view ALL_CREDENTIALS.
  • Delete Credentials
    DBMS_CLOUD provides the ability to store credentials using the procedure DBMS_CLOUD.CREATE_CREDENTIAL. You can remove credentials with DBMS_CLOUD.DROP_CREDENTIAL.

Parent topic: Manage Credentials or Configure Policies and Roles to Access Resources

Create Credentials to Access Cloud Services

To access services in the Cloud, such as Cloud Object Store, you first need to create credentials in your Autonomous Database.

  1. Create and store credentials using the procedure DBMS_CLOUD.CREATE_CREDENTIAL. For example:
    SET DEFINE OFF
BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
    credential_name => 'DEF_CRED_NAME',
    username => 'adb_user@example.com',
    password => 'password'
  );
END;
/

    This operation stores the credentials in the database in an encrypted format. You can use any name for the credential name. Note that this step is required only once unless your object store credentials change. Once you store the credentials you can then use the same credential name for all data loads.

    For detailed information about the parameters, see CREATE_CREDENTIAL Procedure.

    Creating a credential to access Oracle Cloud Infrastructure Object Store is not required if you enable resource principal credentials. See Use Resource Principal to Access Oracle Cloud Infrastructure Resources for more information.

    Note

    Some tools like SQL*Plus and SQL Developer use the ampersand character (&) as a special character. If you have the ampersand character in your password use the SET DEFINE OFF command in those tools as shown in the example to disable the special character and get the credential created properly.
  2. With the credential you created in Step 1, you can access Object Store or other cloud resources from Autonomous Database using a procedure such as DBMS_CLOUD.COPY_DATA, DBMS_CLOUD.EXPORT_DATA, DBMS_CLOUD_PIPELINE if you are using a Data Pipeline, or other procedures that require DBMS_CLOUD credentials.

Parent topic: Manage Credentials

Create Credentials to Access Cloud Services in Cloud Shell

Use Cloud Shell to run a script that creates OCI Native Credentials and Auth Token in your Autonomous Database.

Create OCI Native Credentials Using Cloud Shell

To create OCI Native Credentials, sign into your tenancy and run the adb-create-cred.sh script in the Cloud Shell developer tool.

Before running the script in your home region, consider the following:
  • If you are in your home region and the Autonomous Database is in your home region, execute the script without the region argument. The script assumes the Autonomous Database is in your home region and will not prompt for an alternate region.
  • However, if you are in your home region and your Autonomous Database is in an alternate region, then you must pass in the --region argument when executing the script.

  1. Sign into your Tenancy, select the Developer Tools icon and click Cloud Shell from the drop down list.
    Description of cs_cloud_shell.png follows
    Note

    If for some reason you do not have access to Cloud Shell, you can create OCI Native Credentials without using the adb-create-cred.sh script. See Create Oracle Cloud Infrastructure Native Credentials for details.
  2. Run the adb-create-cred.sh script.

    The script can be run with or without arguments:

    • Enter adb-create-cred.sh and click Enter to run the script.

      In later steps, the script provides a list of compartments and, if you are not in your home region, a list of regions from which to choose.

      For example:
      user_name@cloudshell:~ (us-phoenix-1)$ adb-create-cred.sh
    • Enter adb-create-cred.sh --region=REGION --compartment=COMPARTMENT and click Enter to run the script.

      You can provide one or both arguments. By providing the region and or compartment, the script will bypass generating a list of regions and/or compartments.

      In this example, both arguments are provided. The Autonomous Database is in the us-phoenix-1 region in the Development compartment:
      user_name@cloudshell:~ (us-phoenix-1)$ adb-create-cred.sh --region=us-ashburn-1 --compartment=Development
    Note

    For a list of options, enter adb-create-cred.sh --h.
  3. If you have no existing API keys and fingerprint, they are created and the following OCI Native Credential scripts in SQL and JSON are created:
    • oci_native_credential.sql
    • oci_native_credential.json
  4. If you have existing API keys and fingerprint, the script asks if you want to reuse them.
    • If you answer y, the existing API keys and fingerprint are not replaced and the script continues to the next step.
    • If you answer n, you are asked if you want to replace them.
      • If you want to replace them, enter y. A backup script of your existing keys is created, your existing keys are removed, new API keys and fingerprint are created, and the OCI Native Credential scripts in SQL and JSON are created.
        Note

        If you decide, after overwriting the credentials, that you want to use the overwritten credentials, you can go back to the directory where the backup is and reuse it. The backup file name or folder has a suffix with this syntax: _bkp_YYYYMMDD_abc. For example, this backup file was created on June 06, 2024: _bkp_20240603_woT
      • If you don't want to replace them, enter n. No keys or fingerprint are created and the script exits. You can execute cat ~/oci_native_credential.sql, to copy the SQL into
  5. You are asked if you want to proceed and run the credential scripts on your Autonomous Database.
    • If you passed in region or compartment arguments when running the script:
      • If you enter y, and both arguments were passed in, the Autonomous Databases you have access to in that region and compartment are listed. The script skips to step 7.
      • If you enter y and you only passed in the compartment name, the list of Autonomous Databases you have access to in that compartment is displayed. The script skips to step 7.
      • If you enter y and you only passed in the region name, the list of compartments within that region that might have Autonomous Databases you have access to are displayed.
    • If you did not pass in arguments when running the script:
      • If you enter y and you are in your home region, a list of compartments within this tenancy that might have Autonomous Databases you have access to are displayed. Since in this case, you are in your home region and have not executed the script with any options you are not prompted for alternate regions.
        Note

        If you have an Autonomous Database private endpoint in a Virtual Cloud Network, the adb-create-cred.sh script generates the SQL or JSON scripts. However, it will not perform the steps required to access the Autonomous Database private end point. Instead, it will prompt you to execute cat ~/oci_native_credential.sql, to copy the SQL into whatever SQL tool you have access to via a Bastion or Jump Host.
      • If you enter y and you are not in your home region, you are asked if you want to (k)eep your currect region, change to your (h)ome region or (p)ick a different region.
        • If you enter k, you will stay in your current region and a list of compartments within your current region that might have Autonomous Databases you have access to are displayed.
        • If you enter h, the script is adjusted to use your home region and a list of compartments within your home region that might have Autonomous Databases you have access to are displayed.
        • If you enter p, a list of regions you have access to is displayed. Your home region is highlighted. Enter the number of the region you want.

          If in the selected region there are no databases you have access to, you are asked if you want to run on another Autonomous Database. If you answer y, you are asked again if you want to (k)eep your currect region, change to your (h)ome region or (p)ick a different region. If you answer n, your OCI Native Credential Script is displayed and the script exits. You can run the script in your Cloud Shell window or download it and run it in SQL Developer or any tool that runs SQL.

      • If you enter n, your OCI Native Credential Script is displayed and the script exits. You can run the script in your Cloud Shell window or download it and run it in SQL Developer or any tool that runs SQL.
  6. Enter the number of the compartment.
    The Autonomous Databases you have access to in that compartment are listed.
  7. Enter the number of the Autonomous Database.

    The credentials are setup in the selected Autonomous Database, and SQL scripts are generated to add the credentials. The next task is to connect to your Autonomous Database so you can execute the credential scripts.

  8. Enter your Autonomous Database username.
  9. Enter your Autonomous Database password.

    The script attempts to connect to the Autonomous Database you selected using the username and password you supplied.

    • If the connection to the Autonomous Database is successful, the generated credential scripts are run in the Autonomous Database. The existing credentials are dropped and the new credentials are created.
    • If the connection to the Autonomous Database is unsuccessful, you can execute cat ~/oci_native_credential.sql, to copy the SQL and run it directly in the Autonomous Database using any SQL tool.

Create Auth Token/Swift Credential Using the Cloud Shell Script (optional)

If you want to create an Auth Token/Swift credential, though Oracle recommends the use of OCI Native Credentials, you can add the --all flag to the script to generate OCI Native Credentials and the Auth Token/Swift credential.

For example:
adb-create-cred.sh --all

When this flag is used, the script asks if you want to include an Auth Token. By answering y, your Auth Token key is generated and uploaded to your OCI profile, and the oci_auth_token_credential.sql and auth_token.tok scripts are created.

There are 2 options you can use to view the Auth Token key:
  • Run the oci_auth_token_credential.sql script from the Cloud Shell, to create the Auth Token key in your database. The Auth Token key is the value of the password parameter for DBMS_CLOUD_CREATE_CREDENTIAL.
  • View auth_token.tok from the Cloud Shell. Your Auth Token is the value of token.

Parent topic: Manage Credentials

List Credentials

DBMS_CLOUD provides the ability to store credentials using the procedure DBMS_CLOUD.CREATE_CREDENTIAL. You can list credentials from the view ALL_CREDENTIALS.

For example, to list credentials, run the following command:

SELECT credential_name, username, comments FROM all_credentials;

CREDENTIAL_NAME                                            USERNAME    
---------------------------–-----------------------------  --------------------
COMMENTS
---------------------------–-----------------------------  --------------------
ADB_TOKEN                                                  user_name@example.com
{"comments":"Created via DBMS_CLOUD.create_credential"}
DEF_CRED_NAME                                              user_name@example.com
{"comments":"Created via DBMS_CLOUD.create_credential"}

See ALL_CREDENTIALS for more information.

Parent topic: Manage Credentials

Delete Credentials

DBMS_CLOUD provides the ability to store credentials using the procedure DBMS_CLOUD.CREATE_CREDENTIAL. You can remove credentials with DBMS_CLOUD.DROP_CREDENTIAL.

For example, to remove the credential named DEF_CRED_NAME, run the following command: 

BEGIN
   DBMS_CLOUD.DROP_CREDENTIAL('DEF_CRED_NAME');
END;

For more information about the DBMS_CLOUD procedures and parameters, see DBMS_CLOUD Subprograms and REST APIs.

Parent topic: Manage Credentials