OCI Resource Principal

 
 
Autonomous Database (ADB-S) users often interact with other resources in Oracle cloud infrastructure (OCI) to perform various common operations such as accessing the contents to and from the Object storage locations. In the past we have discussed about the Credential objects, using this an ADB-S instance can access the other resources (like OCI Buckets, Vault etc) , today we will discuss about OCI Resource principal, what it is and how to configure them.
 
OCI resource principal is principal type in Oracle Identity and Access Management (IAM) that eliminates the need to create and configure OCI user credential objects in the database. In other words, a resource principle uses a certificate that is frequently refreshed to sign the API calls to certain OCI services (e.g. Object Storage, Vault) and the authorization is established through dynamic groups and IAM policies.
 
 
In the remainder of this blogpost, I’m going to demonstrate how to create OCI resource principal and use that to access OCI object storage contents.
 
Create Dynamic Group and policy.
 
First, we need to create dynamic group and policy, to be able to use Resource principal authentication, that is we will be able to tell Identity and Access management (IAM) that a given ADB-S should be able to access OCI buckets.
 
1.        In the OCI console, go to Identity & Security >> Domains >> Dynamic Groups >> Create Dynamic Groups
2.       Since I want my ADB-S instance to this Dynamic Group, I need to add OCID of my database instance in the following rule.
 

 
Now that we have created a Dynamic group that includes our ADB-S instance, we can go ahead and create policy to allow this resource to access other resources that resides in each compartment / tenancy.
 
1)       In the OCI console, go to Identity & Security >> Policy >> create policy
2)       Add your policy statement in the plain text or using a policy builder
 

 
The above policy allows read and write access to OCI buckets.
 
 
Resource principal is not enabled by default, In order to be able to use resource principal in our ADB-S instance, we need to enable it using DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL() method.
 
admin@ATP19C> EXEC DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL();
 
PL/SQL procedure successfully completed.
 
The above step enables resource principal for ADMIN user, if you like other database users to call DBMS_CLOUD API using resource principal, then ADMIN user can enable resource principal authentication for other database users as well.
 
admin@ATP19C> EXEC DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL('DEMO_USER');
 
PL/SQL procedure successfully completed.
 
admin@ATP19C> EXEC DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL('DEMO');
 
PL/SQL procedure successfully completed.
 
To verify the Resource principal is enabled as follows, we can use the below query.
 
admin@ATP19C> select grantee
2  from all_tab_privs
3  where table_name ='OCI$RESOURCE_PRINCIPAL'
4  and grantor ='ADMIN';
 
GRANTEE
---------------------
C##CLOUD$SERVICE
GRAPH$METADATA
DEMO_USER
RAJESH
DEMO
 
 
As a final step of demonstration, we can use the resource principal to access the object storage contents.
 
demo-user@ATP19C> variable uri varchar2(100)
demo-user@ATP19C> exec :uri := 'https://objectstorage.us-ashburn-1.oraclecloud.com/n/idcglquusbz6/b/MY_DEMO_BUCKET/o/EXPORT_DEMO/';
 
PL/SQL procedure successfully completed.
 
demo-user@ATP19C> select count(*)
  2  from dbms_cloud.list_objects(
  3          credential_name =>'OCI$RESOURCE_PRINCIPAL'
  4          , location_uri => :uri);
 
  COUNT(*)
----------
         1
 
As you might have noticed, OCI$RESOURCE_PRINCIPLE is the credential_name we need to specify in DBMS_CLOUD APIs whenever we want to use resource principal authentication.
 
To summarize, resource principal is a really neat Oracle IAM capability that enables your OCI resources to access various OCI services through dynamic groups and policies. Creating dynamic groups and policies can potentially be a one-time operation since you can define your dynamic group such that it includes all existing and future ADB-S instances in a given compartment. Whenever you provision a new ADB-S instance, all you have to do would be to enable resource principle for that instance via the DBMS_CLOUD_ADMIN API if the instance needs to access other OCI services or resources. Much simpler and easier than creating credential objects via auth tokens or OCI native authentication!