Use Resource Principal to Access Oracle Cloud Infrastructure Resources
You can use an Oracle Cloud Infrastructure resource principal with Autonomous Database. You or your tenancy administrator define the Oracle Cloud Infrastructure policies and a dynamic group that allows you to access Oracle Cloud Infrastructure resources with a resource principal. You do not need to create a credential object and Autonomous Database creates and secures the resource principal credentials you use to access the specified Oracle Cloud Infrastructure resources.
- About Using Resource Principal to Access Oracle Cloud Infrastructure Resources
You can use a resource principal to authenticate and access Oracle Cloud Infrastructure resources. - Perform Prerequisites to Use Resource Principal with Autonomous Database
Prior to making a call to an Oracle Cloud Infrastructure resource using a resource principal, an Oracle Cloud Infrastructure tenancy administrator must create Oracle Cloud Infrastructure policies, dynamic groups, and rules that define the resource principal privileges. - Enable Resource Principal to Access Oracle Cloud Infrastructure Resources
Perform the following steps to enable resource principal on Autonomous Database. - Disable Resource Principal on Autonomous Database
Shows the steps to disable resource principal for all Autonomous Database users or for a specified user. - Use Resource Principal with DBMS_CLOUD
When you specify resource principal credentials withDBMS_CLOUD
calls, the database authenticates the Oracle Cloud Infrastructure requests for you and the database provides the credentials to access Oracle Cloud Infrastructure resources.
Parent topic: Configure Policies and Roles to Access Resources
About Using Resource Principal to Access Oracle Cloud Infrastructure Resources
You can use a resource principal to authenticate and access Oracle Cloud Infrastructure resources.
A resource principal consists of a temporary session token and secure credentials that enable the database to authenticate itself to other Oracle Cloud Infrastructure services. Using a resource principal to access services, the token stored with the credentials on Autonomous Database is only valid for the resources to which the dynamic group has been granted access.
To use Resource Principal, you or your tenancy administrator define the Oracle Cloud Infrastructure policies and a dynamic group that allows you to access Oracle Cloud Infrastructure resources with a resource principal. You do not need to create a credential object and Autonomous Database creates and secures the resource principal credentials you use to access the specified Oracle Cloud Infrastructure resources.
For example, while using Autonomous Database you might want to use Oracle Cloud Infrastructure resources to do the following:
- Access data from an Object Storage bucket, perform some operation on the data, and then write the modified data back to the Object Storage bucket.
-
Access your vaults, keys, or secrets.
- List work requests or list work request errors.
When you are working with the database, you authenticate and access the database as a database user. An Autonomous Database user does not have an Oracle Cloud Infrastructure Identity and Access Management (IAM) identity, so as an Autonomous Database user you cannot use your database credentials to access Oracle Cloud Infrastructure services. Without a resource principal you must obtain credentials to access Oracle Cloud Infrastructure resources and create a credential object to access a resource from Autonomous Database.
A resource principal enables resources to be authorized to perform actions on Oracle Cloud Infrastructure services. Each resource has its own identity, and the resource authenticates using the certificates that are added to it. These certificates are automatically created, assigned to resources, and rotated, avoiding the need for you to create and manage your own credentials to access the resource.
Autonomous Database lets you use a resource principal to authenticate to Oracle Cloud Infrastructure APIs using the following interfaces:
DBMS_CLOUD
procedures and functions that take a credential argument- Oracle Cloud Infrastructure PL/SQL SDK APIs
When you authenticate using a resource principal, Autonomous Database provides a secure method to access Oracle Cloud Infrastructure resources.
There are several steps required to set up a resource principal on Autonomous Database:
-
You must create an define Oracle Cloud Infrastructure Infrastructure Identity and Access Management (IAM) policies. See Perform Prerequisites to Use Resource Principal with Autonomous Database for more information.
-
You must enable the resource principal for the ADMIN user, and optionally enable the resource principal for a database user. See Enable Resource Principal to Access Oracle Cloud Infrastructure Resources for more information.
When you authenticate using a resource principal, you do not need to create and manage credentials to access Oracle Cloud Infrastructure resources. Autonomous Database makes the resource principal available to you and secures the resource principal for you.
Perform Prerequisites to Use Resource Principal with Autonomous Database
Prior to making a call to an Oracle Cloud Infrastructure resource using a resource principal, an Oracle Cloud Infrastructure tenancy administrator must create Oracle Cloud Infrastructure policies, dynamic groups, and rules that define the resource principal privileges.
Perform the following steps before you use a resource principal with Autonomous Database:
The resource principal token is cached for two hours. Therefore, if you change the policy or the dynamic group, you have to wait for two hours to see the effect of your changes.
See How Policies Work and Managing Policies for more information on policies.
Enable Resource Principal to Access Oracle Cloud Infrastructure Resources
Perform the following steps to enable resource principal on Autonomous Database.
As a prerequisite, configure dynamic groups and policies. See Perform Prerequisites to Use Resource Principal with Autonomous Database for more information.
To enable a resource principal on Autonomous Database:
Enabling the resource principal on an Autonomous Database instance is one-time operation. You do not need to enable the
resource principal again, unless you run DBMS_CLOUD_ADMIN.DISABLE_RESOURCE_PRINCIPAL
to
disable the resource principal.
Disable Resource Principal on Autonomous Database
Shows the steps to disable resource principal for all Autonomous Database users or for a specified user.
To remove access to the resource principal credential for a specified
database user, include the username
parameter. This denies the
specified user access to the OCI$RESOURCE_PRINCIPAL
credential.
For example:
EXEC DBMS_CLOUD_ADMIN.DISABLE_RESOURCE_PRINCIPAL
(username => 'ADB_USER');
See DISABLE_RESOURCE_PRINCIPAL Procedure for more information.
Use Resource Principal with DBMS_CLOUD
When you
specify resource principal credentials with DBMS_CLOUD
calls, the database authenticates the Oracle Cloud
Infrastructure requests for you and the database provides the credentials to access Oracle Cloud
Infrastructure resources.
If you have not already done so, perform the required prerequisite steps:
-
Access to Oracle Cloud Infrastructure resources depends on the dynamic group rules and the policies you set in Oracle Cloud Infrastructure policies and dynamic groups. See Perform Prerequisites to Use Resource Principal with Autonomous Database for more information.
-
After you define the dynamic group and policies, enable the ADMIN schema or another schema to use a resource principal. See Enable Resource Principal to Access Oracle Cloud Infrastructure Resources for more information.
To use a DBMS_CLOUD
procedure with resource principal credentials:
If you compare the steps required to access Object Storage as shown in
Create Credentials and Copy Data into an Existing Table, notice that Step 1, creating credentials is not required when
you use resource principal because you are using the system defined
OCI$RESOURCE_PRINCIPAL
credential.