Authorize Instances Principal to call services in Oracle Cloud Infrastructure
- Create a dynamic group
- Create a policy granting permissions to the dynamic group to access services in OCI
- Installing OCI CLI in OCI compute
- Enabling Instance Principal Authorization for the CLI
- Calling Services from an Instance
Dynamic groups allow to group Oracle Cloud Infrastructure computer instances as “principal” actors (similar to user groups) and create policies to permit instances to make API calls against Oracle Cloud Infrastructure services. When dynamic group is created set of matching rules is defined to the group members instead of adding members explicitly to the group.
For e.g. a rule could specify that all instances in a compartment are members of the dynamic group and the members can change dynamically as instances are launched and terminated in that compartment
Creating Dynamic Group
1.1. Navigate to Hamburger menu, under Governance and Administration, navigate to Identity and then click on Dynamic Group.
1.2. Under Matching Rules Tab click on Rule Builder and it will appear like as given below.
Any includes instances that match any of the statements in the rule.All includes only instances that match all of the statements in the rule.
1.3. And click on Add rule Tab.
Note :- I have copied and pasted compartment OCID (POC_EBS_APPS) and compute instance OCID (DNS_ZONE)
1.4. Once Rules are added it will appear like given below.
1.5. Select Tag from drop down appropriately and click on Create
Creating policies for the Dynamic Group
2.1. Navigate to Identity under hamburger menu, click on Policies à select your compartment and click on Create Policy Tab.
2.2. Give the name for dynamic group where you can select versioning of policy also.
Allow dynamic-group <dynamic_group_name> to <verb> <resource-type> in compartment <compartment_name>i.e Allow dynamic-group DYNAMIC_TEST to manage bucket in compartment POC_EBS_APPS
Installing OCI CLI in OCI compute
3.1 Login to compute instance and to run the installer script, run the following curl command.
bash -c “$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)”
In prompt hit enter to give default values and wait for Installation successful message.
Note :- The CLI is a small-footprint tool which can be used on its own or with the Console to complete Oracle Cloud Infrastructure tasks. The CLI provides the same core functionality as the Console, plus additional commands. Some of these, such as the ability to run scripts, extend Console functionality.
Enabling Instance Principal Authorization for the CLI
Instance Principal:- Instance Principal lets Instances (and application) make API calls against other OCI services thus removing the need to configure user credentials or a configuration file.
4.1 To enable instance principal authorization from the CLI, you can set the authorization option ( — auth) for a command. For example:
oci os ns get -–auth instance_principal
or set the following environment variable:
Calling Services from an Instance .i.e creating Bucket (dynamic_bucket)
Once the Instance Principal is enabled run the following command to create bucket using OCI CLI command
oci os bucket create -–name dynamic_bucket -–compartment-id ocid1.compartment.oc1..aaaaaaaaaltvdpuacnzvouc2uw4a2pllcfa5ftl22dxn2uf34olqurx2mxqq -–auth instance_principal
5.1 Bucket was successfully created