Autonomous
Database (ADB-S) users often interact with other resources in Oracle cloud
infrastructure (OCI) to perform various common operations such as accessing the
contents to and from the Object storage locations. In the past we have discussed
about the Credential objects, using this an ADB-S instance can access the other
resources (like OCI Buckets, Vault etc) , today we will discuss about OCI
Resource principal, what it is and how to configure them.
OCI
resource principal is principal type in Oracle Identity and Access Management
(IAM) that eliminates the need to create and configure OCI user credential
objects in the database. In other words, a resource principle
uses a certificate that is frequently refreshed to sign the API calls to
certain OCI services (e.g. Object Storage, Vault) and the authorization is
established through dynamic groups and IAM policies.
In
the remainder of this blogpost, I’m going to demonstrate how to create OCI
resource principal and use that to access OCI object storage contents.
Create
Dynamic Group and policy.
First,
we need to create dynamic group and policy, to be able to use Resource
principal authentication, that is we will be able to tell Identity and Access
management (IAM) that a given ADB-S should be able to access OCI buckets.
1.
In the OCI console, go to Identity &
Security >> Domains >> Dynamic Groups >> Create Dynamic
Groups
2.
Since I want my ADB-S instance to this
Dynamic Group, I need to add OCID of my database instance in the following
rule.
Now that we have created a Dynamic group that
includes our ADB-S instance, we can go ahead and create policy to allow this
resource to access other resources that resides in each compartment / tenancy.
1)
In the OCI console, go to Identity
& Security >> Policy >> create policy
2)
Add your policy statement in the plain
text or using a policy builder
The
above policy allows read and write access to OCI buckets.
Resource
principal is not enabled by default, In order to be able to use resource
principal in our ADB-S instance, we need to enable it using DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL()
method.
admin@ATP19C> EXEC
DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL();
PL/SQL procedure successfully
completed.
The
above step enables resource principal for ADMIN user, if you like other
database users to call DBMS_CLOUD API using resource principal, then ADMIN user
can enable resource principal authentication for other database users as well.
admin@ATP19C> EXEC
DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL('DEMO_USER');
PL/SQL procedure successfully
completed.
admin@ATP19C> EXEC
DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL('DEMO');
PL/SQL procedure successfully
completed.
To
verify the Resource principal is enabled as follows, we can use the below query.
admin@ATP19C> select
grantee
2 from all_tab_privs
3 where table_name ='OCI$RESOURCE_PRINCIPAL'
4 and grantor ='ADMIN';
GRANTEE
---------------------
C##CLOUD$SERVICE
GRAPH$METADATA
DEMO_USER
RAJESH
DEMO
As
a final step of demonstration, we can use the resource principal to access the
object storage contents.
demo-user@ATP19C> variable
uri varchar2(100)
demo-user@ATP19C> exec
:uri := 'https://objectstorage.us-ashburn-1.oraclecloud.com/n/idcglquusbz6/b/MY_DEMO_BUCKET/o/EXPORT_DEMO/';
PL/SQL procedure successfully
completed.
demo-user@ATP19C> select
count(*)
2 from
dbms_cloud.list_objects(
3
credential_name =>'OCI$RESOURCE_PRINCIPAL'
4
, location_uri => :uri);
COUNT(*)
----------
1
As
you might have noticed, OCI$RESOURCE_PRINCIPLE
is the credential_name we need to specify in DBMS_CLOUD APIs whenever we
want to use resource principal authentication.
To
summarize, resource principal is a really neat Oracle IAM capability that
enables your OCI resources to access various OCI services through dynamic
groups and policies. Creating dynamic groups and policies can potentially be a
one-time operation since you can define your dynamic group such that it
includes all existing and future ADB-S instances in a given compartment.
Whenever you provision a new ADB-S instance, all you have to do would be to
enable resource principle for that instance via the DBMS_CLOUD_ADMIN API if the
instance needs to access other OCI services or resources. Much simpler and
easier than creating credential objects via auth
tokens or OCI
native authentication!
