Use Vault Secret Credentials with Oracle Cloud Infrastructure Vault

Describes using vault secret credentials, where the secret (password) is stored as a secret in Oracle Cloud Infrastructure Vault.

You can use vault secret credentials to access cloud resources, to access other databases with database links, or use anywhere that username/password type credentials are required.

Prerequisites to Create Vault Secret Credentials with Oracle Cloud Infrastructure Vault

Describes the required prerequisite steps to use vault secret credentials with Oracle Cloud Infrastructure Vault secrets.

To create vault secret credentials where the secret is stored in Oracle Cloud Infrastructure Vault, first perform the required prerequisites.

  1. Create a vault and create a secret in the vault with Oracle Cloud Infrastructure Vault.

    For more information, see the instructions for creating a vault and a secret, Managing Vaults and Overview of Key Management.

  2. Set up a dynamic group to provide access to the secret in the Oracle Cloud Infrastructure Vault.

    Create a dynamic group for the Autonomous Database instance where you want to create a vault secret credential:

    1. In the Oracle Cloud Infrastructure console click Identity & Security.
    2. Under Identity click Domains and select an identity domain (or create a new identity domain).
    3. Under Identity domain, click Dynamic groups.
    4. Click Create dynamic group and enter a Name, a Description, and a rule.
      • Create Dynamic Group for an existing database:

        You can specify that an Autonomous Database instance is part of the dynamic group. The dynamic group in the following example includes only the Autonomous Database whose OCID is specified in the resource.id parameter:

        resource.id = 'your_Autonomous_Database_instance_OCID'
      • Create a Dynamic Group for a database that has not been provisioned yet:

        When you are creating the dynamic group before you provision or clone an Autonomous Database instance, the OCID for the new database is not yet available. For this case, create a dynamic group that specifies the resources in a given compartment:

        resource.compartment.id = 'your_Compartment_OCID'
    5. Click Create.
  3. Write policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources (secrets).
    1. In the Oracle Cloud Infrastructure Console click Identity and Security and click Policies.
    2. To write policies for the dynamic group you created in the previous step, click Create Policy, and enter a Name and a Description.
    3. Use the show manual editor option of Policy Builder to create a policy.

      For example, to allow access to the dynamic group to read a specific secret in a compartment:

      Allow dynamic-group dynamic_group_name to read secret-bundles in compartment compartment_name
         where target.secret.id='secret_OCID'

      For example, to allow access to the dynamic group to read all secrets in a compartment:

      Allow dynamic-group dynamic_group_name to read secret-bundles in compartment compartment_name

      See Details for the Vault Service for more information.

    4. Select the group or dynamic group and select the location.
    5. Click Create.

Create Vault Secret Credentials with Oracle Cloud Infrastructure Vault

Describes the steps to use an Oracle Cloud Infrastructure Vault secret with credentials.

This allows you to store a secret in Oracle Cloud Infrastructure Vault and use the secret with the credential you create to access cloud resources or to access other databases.

To create vault secret credentials where the secret is stored in Oracle Cloud Infrastructure Vault:

  1. Enable resource principal authentication to provide access to a secret in the Oracle Cloud Infrastructure Vault.
  2. Create a dynamic group and define policies to allow your Autonomous Database to access secrets in an Oracle Cloud Infrastructure Vault.
  3. Use DBMS_CLOUD.CREATE_CREDENTIAL to create a vault secret credential.

    For example:

    BEGIN DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name   => 'OCI_SECRET_CRED',
        params            => JSON_OBJECT(
            'username'   value 'SCOTT',
            'secret_id'  value 'ocid1.vaultsecret.oc1.iad.example..aaaaaaaauq5ok5nq3bf2vwetkpqsoa' ));
    END;
    /

    Where:

    • username: is the username of the original credential. It can be the username of any type of username/password credential such as the username of an OCI Swift user, the username required to access a database with a database link, and so on.

    • secret_id: is the vault secret ID. For example, when you store the password mysecret in a secret in Oracle Cloud Infrastructure Vault, the secret_id value is the vault secret OCID.

    To create a vault secret credential you must have EXECUTE privilege on the DBMS_CLOUD package.

    See CREATE_CREDENTIAL Procedure for more information.

  4. Use the credential to access a cloud resource.

    For example:

    SELECT count(*) FROM DBMS_CLOUD.LIST_OBJECTS(
        'OCI_SECRET_CRED',
        'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o/' );
Note

Every 12 hours the secret (password) is refreshed from the content in the Oracle Cloud Infrastructure Vault. If you change the secret value in the Oracle Cloud Infrastructure Vault, it can take up to 12 hours for the Autonomous Database instance to pick up the latest secret value.

Run DBMS_CLOUD.REFRESH_VAULT_CREDENTIAL to immediately refresh a vault secret credential. This procedure gets the latest version of the vault secret from Oracle Cloud Infrastructure Vault. See REFRESH_VAULT_CREDENTIAL Procedure for more information.