OCI SDK Authentication Methods
- API key-based authentication
- Session token-based authentication
- Instance principal
- Resource principal
This section discusses each method in detail and provides examples.
API Key-Based Authentication
In this authentication method, you create a configuration file and store it on the local disk. The configuration file contains details such as the user OCID, tenancy OCID, region, private key path, and fingerprint. This authentication method creates a permanent configuration file on your machine. It should be used if you are working from a secure network and are comfortable storing private keys and configuration locally.
Examples
The following section shows examples of API key-based authentication.
You can use the following CLI commands to set up API key-based authentication:
"oci setup bootstrap": This command helps to set up a configuration file. You can login via a browser and your configuration file is automatically created and uploaded to the console. For more details, see oci setup bootstrap
"oci setup config": This command helps to set up a configuration file from a command line session without browser support via an interactive CLI command which prompts you for information (including a user OCID, a tenancy OCID, and region name) and create a private key. Once the file is created, you need to upload your public key to the console. For more information, see oci setup config
For an example of Python usage, see this example on Github.
For a simple example of Java usage, see this example on Github.
For an example of using a configuration file with the Java SDK, see this example on Github.
For an example of .NET usage, see this example on Github.
The Set-OCIClientConfig cmdlet in the Common module
provides a guided walk-through for setting up a configuration file.
See the PowerShell Docs Configuration
File section for more information.
For an example of Ruby usage, see this example on Github.
For an example of TypeScript usage, see this example on Github.
For an example of Go usage, be sure to read the README file, and then see this example on Github.
Session Token-Based Authentication
Using session-token-based authentication, you create a local configuration file that contains information including the user OCID, tenancy OCID, region, private key path and a temporary session token file path. This method uses this information along with the temporary session token, which expires in an hour (by default). Session token-based authentication can be used when you need quick, temporary authentication.
Examples
The following section shows examples of session token-based authentication.
You can use the following CLI command to set up session token-based authentication:
"oci session authenticate":This command sets a temporary session token. Sign in via a browser, and a session configuration file is automatically created that you can use to authenticate until the session expires (by default, expiration is in 60 minutes). After the session expires, you need to refresh the session token. For more information, see oci session authenticate.
For an example of Python usage, see Running Scripts on a Computer without a Browser.
For an example of Java usage, see this example on Github.
For an example of .NET usage, see this example on Github.
Not supported.
Not supported.
For an example of TypeScript usage, see this example on Github.
For an example of Go usage, see this example on Github.
Instance Principal Authentication
Using instance principal authentication, you can authorize an instance to make API calls on Oracle Cloud Infrastructure services. After you set up the required resources and policies, an application running on an instance can call Oracle Cloud Infrastructure public services, removing the need to configure user credentials or a configuration file. For more details, see instance principal.
Instance principal authentication can be used from an instance or VM where you don't want to store a configuration file.
Examples
The following section shows examples of instance principal authentication.
You can use the following CLI command to set up instance principal-based authentication:
"oci setup instance-principal" : This command helps you to set up instance principal authentication on an existing instance from a machine where you already have OCI CLI authentication configured. For example, you can run this command from Cloud Shell (which is authenticated using a delegation token) to set up instance principal on an instance. For more information, see oci setup instance-principal.
To setup instance principal dynamic groups and policies manually, see Calling Services from Instances.
For an example of Python usage, see this example on Github.
For an example of Java usage, see this example on Github.
For an example of .NET usage, see this example on Github.
See PowerShell Modules for OCI documentation for more information.
For an example of Ruby usage, see this example on Github.
For an example of TypeScript usage, see this example on Github.
For an example of how you can create and configure instance principal authentication using the Go SDK, see this example on Github.
For an example that uses instance principal authentication, see this example on Github.
Resource Principal Authentication
Resource principal authentication is very similar to instance principal authentication, but is intended to be used for resources that are not instances, such as server-less functions.
Examples
The following section shows examples of resource principal authentication.
For CLI examples, visit Accessing OCI Resources with Functions.
For an example of Python usage, see this example on Github.
For an example of Java usage, see this example on Github.
For an example of .NET usage, see this example on GitHub.
Example not available.
For an example of Ruby usage using RPv1.1, see this example on Github.
For an example of Ruby usage using RPv2.2, see this example on Github.
For an example of TypeScript usage, see this example on Github.
For an example of Go usage, see this example on Github.