Oracle Cloud Infrastructure Documentation

Using the Console

Use the OCI Console to manage users and other features.

Changing your Console Password

You're prompted to change your initial one-time password the first time you sign in to the Console. The following procedure is for changing your password again later.

Note

For Federated Users

If your company uses an identity provider (other than Oracle Identity Cloud Service) to manage user logins and passwords, you can't use the Console to update your password. You do that with your identity provider.

  1. Sign in to the Console using the Oracle Cloud Infrastructure User Name and Password.

  2. After you sign in, select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click Change password.

  3. Enter the Current Password.
  4. Enter your new password in the New Password and Confirm New Password fields, and then click Save New Password.
  1. Sign in to the Console by using your Oracle Cloud Infrastructure username and password.

  2. Select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click My Profile, and then click Change password.

  3. Click Current password, and then enter the current password.
  4. Click New password, and then enter a new password.
  5. Click Confirm new password, and then enter the new password again.
  6. When you are finished and the password satisfies all password criteria, click Save.
Resetting Another User's Console Password

If you're an administrator, you can use the following procedure to reset a user's password. The procedure generates and sends a reset password email to the user. The email includes a link to the page where the user must change their password before they can sign in to the Console again.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users.
  3. Click the user with the password that you want to reset.

  4. Click Reset password.

  5. To confirm, click Reset password.

    The user will receive an email prompting them to reset their password. If they don't change it within the period specified in the email, the link will expire and you'll need to reset the password for the user again.

Resetting Your Password If You Forgot It

If you have an email address in your user profile, you can use the Forgot Password link on the sign-in page to have a temporary password sent to you. If you don't have an email address in your user profile, you must ask an administrator to reset your password for you.

Note

An administrator defines password rules, such as length, required characters, and any character limitations. If you have questions about the rules, ask an administrator for a copy of the password policy.
Unblocking a User

If you're an administrator, you can unblock a user who has tried 10 times in a row to sign in to the Console unsuccessfully. See Unlocking a User.

Adding an API Signing Key

You can use the Console to generate the private/public key pair for you. If you already have a key pair, you can choose to upload the public key. When you use the Console to add the key pair, the Console also generates a configuration file preview snippet for you.

The following procedures work for a regular user or an administrator. Administrators can manage API keys for either another user or themselves.

About the Configuration File Snippet

When you use the Console to add the API signing key pair, a configuration file preview snippet is generated with the following information:

  • user - the OCID of the user for whom the key pair is being added.
  • fingerprint - the fingerprint of the key that was just added.
  • tenancy - your tenancy's OCID.
  • region - the currently selected region in the Console.
  • key_file- the path to your downloaded private key file. You must update this value to the path on your file system where you saved the private key file.

If your configuration file already has a DEFAULT profile, you'll need to do one of the following:

  • Replace the existing profile and its contents.
  • Rename the existing profile.
  • Rename this profile to a different name after pasting it into the configuration file.

You can copy this snippet into your configuration file, to help you get started. If you don't already have a configuration file, see SDK and CLI Configuration File for details on how to create one.

Generating an API Signing Key Pair

Prerequisite: Before you generate a key pair, create the .oci directory in your home directory to store the credentials. See SDK and CLI Configuration File for more details.

  1. View the user's details:
    • If you're adding an API key for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator adding an API key for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click API keys.
  3. Click Add API key.
  4. In the dialog, click Generate API key pair.

  5. Click Download private key and save the key to your .oci directory. In most cases, you do not need to download the public key.

    Note: If your browser downloads the private key to a different directory, be sure to move it to your .oci directory.

  6. Click Add.

    The key is added and the Configuration file preview is displayed. The file snippet includes required parameters and values you'll need to create your configuration file. Copy and paste the configuration file snippet from the text box into your ~/.oci/config file. (If you have not yet created this file, see SDK and CLI Configuration File for details on how to create one.)

    After you paste the file contents, you'll need to update the key_file parameter to the location where you saved your private key file.

    If your configuration file already has a DEFAULT profile, you'll need to do one of the following:
    • Replace the existing profile and its contents.
    • Rename the existing profile.
    • Rename this profile to a different name after pasting it into the configuration file.
  7. Update the permissions on your downloaded private key file so that only you can view it:
    1. Go to the .oci directory where you placed the private key file.
    2. Use the command chmod go-rwx ~/.oci/<oci_api_keyfile>.pem to set the permissions on the file.
Uploading or Pasting an API Key

Prerequisite: You have generated a public RSA key in PEM format (minimum 2048 bits). The PEM format looks something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoTFqF...
...
-----END PUBLIC KEY——
  1. View the user's details:
    • If you're adding an API key for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator adding an API key for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click API keys.
  3. Click Add API key.
  4. In the dialog, select Choose public key file to upload your file, or Paste a public key, if you prefer to paste it into the Public key text box.
  5. After you upload the file or paste the key into the text box, click Add.

    The key is added and the Configuration file preview is displayed. The file snippet includes required parameters and values you'll need to create your configuration file. Copy and paste the configuration file snippet from the text box into your ~/.oci/config file. (If you have not yet created this file, see SDK and CLI Configuration File for details on how to create one.)

    After you paste the file contents, you'll need to update the key_file parameter to the location where you saved your private key file.

    If your configuration file already has a DEFAULT profile, you'll need to do one of the following:

    • Replace the existing profile and its contents.
    • Rename the existing profile.
    • Rename this profile to a different name after pasting it into the configuration file.
Getting the Configuration File Snippet for an API Signing Key
The following procedure works for a regular user or an administrator.
  1. View the user's details:
    • If you're getting an API key configuration file snippet for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator getting an API key configuration file snippet for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click API keys. The list of API key fingerprints is displayed.
  3. Click the the Actions menu (Actions Menu) for the fingerprint, and select View configuration file.

    The Configuration file preview is displayed. The file snippet includes required parameters and values you'll need to create your configuration file. Copy and paste the configuration file snippet from the text box into your ~/.oci/config file. (If you have not yet created this file, see SDK and CLI Configuration File for details on how to create one.) After you paste the file contents, you'll need to update the key_file parameter to the location where you saved your private key file.

    If your configuration file already has a DEFAULT profile, you'll need to do one of the following:
    • Replace the existing profile and its contents.
    • Rename the existing profile.
    • Rename this profile to a different name after pasting it into the configuration file.
Deleting an API Signing Key
The following procedure works for a regular user or an administrator. Administrators can delete an API key for either another user or themselves.
  1. View the user's details:
    • If you're deleting an API key for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator deleting an API key for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click API keys. The list of API key fingerprints is displayed.
  3. Select the check box for the API key you want to delete, and then click Delete.
  4. Confirm when prompted.
The API key is no longer valid for sending API requests.
Creating an Auth Token
  1. View the user's details:
    • If you're creating an auth token for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator creating an auth token for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click Auth tokens.
  3. Click Generate token.
  4. Enter a description that indicates what this token is for, for example, "Swift password token".

  5. Click Generate token.

    The new token string is displayed.

  6. Click Copy to copy the token string immediately, because you can't retrieve it again after closing the dialog box.
  7. When you are finished, click Close.

If you're an administrator creating an auth token for another user, you need to securely deliver it to the user by providing it verbally, printing it out, or sending it through a secure email service.

Deleting an Auth Token

The following procedure works for a regular user or an administrator. Administrators can delete an auth token for either another user or themselves.

  1. View the user's details:
    • If you're deleting an auth token for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator deleting an auth token for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click Auth tokens.
  3. Select the checkbox for the auth token you want to delete, and then click Delete.
  4. Confirm when prompted.

The auth token is no longer valid for accessing third-party APIs.

Creating a Customer Secret Key
  1. View the user's details:
    • If you're creating a customer secret key for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator creating a customer secret key for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.

  2. Under Resources, click Customer secret keys.

    A customer secret key consists of an access key/secret key pair. Oracle automatically generates the access key when you or your administrator generates the secret key to create the customer secret key.

  3. Click Generate secret key.

  4. Click Name to enter a friendly name for the key, and then click Generate secret key.

    The generated secret key is displayed in the Generate secret key dialog box. At the same time, Oracle generates the access key that is paired with the secret key. The newly generated customer secret key is added to the list of Customer secret keys.

  5. Click Copy to copy the secret key immediately, because you can't retrieve the secret key again after closing the dialog box, for security reasons.

    If you're an administrator creating a secret key for another user, you need to securely deliver it to the user by providing it verbally, printing it out, or sending it through a secure email service.

  6. When you are finished, click Close.
  7. To show the access key, locate the secret key in the list of customer secret keys, and then click the access key in the Access key column. To copy the access key, while the access key is displayed, click Copy.
Deleting a Customer Secret Key

The following procedure works for a regular user or an administrator. Administrators can delete a customer secret key for either another user or themselves.

  1. View the user's details:
    • If you're deleting a customer secret key for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator deleting a customer secret key for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click Customer secret keys.
  3. Select the checkbox for the customer secret key you want to delete, and then click Delete.
  4. Confirm when prompted.

The customer secret key is no longer available to use with the Amazon S3 Compatibility API.

Creating OAuth 2.0 Client Credentials
Note

OAuth 2.0 client credentials are not available in the following realms :
  • the commercial realm (OC1)
  • the United Kingdom Government Cloud (OC4)
  1. View the user's details:
    • If you're creating an OAuth 2.0 client credential for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator creating an OAuth 2.0 client credential for another user:

      Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.

  2. Under Resources, click OAuth 2.0 client credentials.

  3. Click Generate OAuth 2.0 client credential.

  4. Click Name, and then enter a name for this credential.

  5. Click Title, and then enter a description for this credential.

  6. Add the URI for the OAuth 2.0 services that this credential will provide access to.

    To Select an audience-scope pair:
    1. In Audience, enter the URI for the OAuth 2.0 services.
    2. Next, select the Scope for this credential. Always select the minimum required privileges.
  7. To add more permissions to this credential, click + Another scope and follow the instructions in the previous step.
  8. Click Generate. The new secret string is generated.

    Click Copy to copy the token string immediately, because you can't retrieve it again after closing the dialog box.

    If you're an administrator creating OAuth 2.0 client credentials for another user, you need to securely deliver them to the user by providing them verbally, printing them out, or sending them through a secure email service.

  9. Click Close.

You will need the following information from the credential for the token request:

  • The generated secret
  • The OCID of the OAuth 2.0 client credential
  • The scope and audience (fully-qualified scope)
Adding Scopes to an Existing OAuth 2.0 Client Credential
  1. View the user's details:
    • If you're creating an OAuth 2.0 client credential for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator creating an OAuth 2.0 client credential for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.

  2. Under Resources, click OAuth 2.0 client credentials.

  3. Click the name of the credential that you want to add scopes to.
  4. Click Add scopes.

  5. Add the URI for the OAuth 2.0 services that you want to add access to.

    To Select a resource-scope pair:
    1. Select the Select a resource-scope pair option.
    2. The Resource list displays the resources you have permission to view. Select the resource you want to add credentials for. After you select the resource, the Audience field is automatically populated.
    3. Next, select the Scope for this credential. Always select the minimum required privileges.
    To Enter fully qualified Scope:
    1. Select the Enter fully qualified scope option.
    2. Enter the Audience and Scope for this credential.
  6. To add more permissions to this credential, click + Another scope and follow the instructions in the previous step.
  7. Click Save.
Regenerating the OAuth 2.0 Client Credential Secret

IMPORTANT: When you regenerate the secret for a credential, requests made with the previous secret will be denied access to target scopes.

  1. View the user's details:
    • If you're creating an OAuth 2.0 client credential for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator creating an OAuth 2.0 client credential for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.

  2. On the left side of the page, click OAuth 2.0 client credentials.

  3. Click the name of the credential that you want to regenerate the secret for.
  4. Click Regenerate secret.
  5. Acknowledge the warning dialog and click Regenerate secret.

  6. Copy the token string immediately, because you can't retrieve it again after closing the dialog box.

    If you're an administrator creating OAuth 2.0 client credentials for another user, you need to securely deliver them to the user by providing them verbally, printing them out, or sending them through a secure email service.

  7. Click Close.

Ensure to update existing token requests with the new secret string.

Deleting an OAuth 2.0 Client Credential

The following procedure works for a regular user or an administrator. Administrators can delete an auth token for either another user or themselves.

  1. View the user's details:
    • If you're deleting an OAuth 2.0 Client Credential for yourself: Select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click User Settings, or your account name.
    • If you're an administrator deleting an auth token for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. On the left side of the page, click OAuth 2.0 Client Credentials.
  3. For the OAuth 2.0 Client Credential you want to delete, click Delete.
  4. Confirm when prompted.

The OAuth 2.0 Client Credential is no longer available to use.

Generating SMTP Credentials
  1. View the user's details:
    • If you're generating SMTP credentials for yourself: Select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click User Settings, or your account name.
    • If you're an administrator generating SMTP credentials for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Open the navigation menu and click Identity & Security. Under Identity, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click SMTP credentials.

  3. Click Generate credentials.

  4. Enter a Description of the SMTP credentials in the dialog box.
  5. Click Generate credentials. A user name and password are displayed.

    Click Copy to copy the password immediately, because you can't retrieve it again after closing the dialog box, for security reasons.

    If you're an administrator generating SMTP credentials for another user, you need to securely deliver them to the user by providing them verbally, printing them out, or sending them through a secure email service.

  6. When you are finished, click Close.
Deleting SMTP Credentials

The following procedure works for a regular user or an administrator. Administrators can delete SMTP credentials for either another user or themselves.

  1. View the user's details:
    • If you're deleting SMTP credentials for yourself:

      Open the Profile menu, and then click My Profile.

    • If you're an administrator deleting SMTP credentials for another user: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users. Locate the user in the list, and then click the user's name to view the details.
  2. Under Resources, click SMTP credentials.
  3. Select the checkbox for the SMTP credentials you want to delete, and then click Delete.
  4. Confirm when prompted.

The SMTP credentials are no longer available to use with the Email Delivery service.

To create an IAM Database Password

You can create an IAM database password to meet the Oracle Database password-creation guidelines. See Creating an IAM Database Password for the IAM database password specifications.

  1. Log in to the OCI IAM console.
  2. In the upper right corner of the window, click the profile icon to display your user profile page.
  3. In your user profile page, click your user name.
  4. Under Resources, click Database Passwords.
  5. In the Database Passwords section, click Create Database Password.

    The Create Database Password dialog box is displayed.

  6. Enter a description of the password.
  7. Note the password guidelines and restrictions listed on the page. See Creating an IAM database password for more information about password rules.
  8. Click Create Database Password.

    The dialog box closes and the description for which you have created a password is displayed in the Database Passwords section.

To change an IAM Database Password

To change your IAM database password, delete your current password and then create a new one. See To Delete an IAM Database Password and To create an IAM Database Password.

To delete an IAM database password

You can delete your own IAM database password.

  1. Log in to the OCI IAM console.
  2. In the upper right corner of the window, click the profile icon. This takes you directly to your user profile page.
  3. In your user profile page, click your user name.
  4. Under Resources, click Database Passwords.
  5. Your user name is displayed in the Database Passwords section.
  6. At the right end of the row with your user name in it, click the three-dot menu, and then click Delete.
To create an IAM Database User Name

To change your IAM database username:

  1. Log in to the OCI IAM console.
  2. Click Identity& Security.
  3. Under Identity, click Users.
  4. In the table of database users, click Create User.
  5. In the Name field, enter your database user name. Enter only letters, numerals, hyphens, periods, underscores, +, and @. You cannot use spaces in the name.
  6. In the Description field, optionally enter the name of the database that this user name is for or any other relevant information.
  7. Optionally click Advanced Options to show the Tags dialog box.
  8. In the Tag Namespace, Tag Key, and Value fields, enter a tag name
  9. Click Save Changes.
To change an IAM Database User Name

To change your IAM database username:

  1. Log in to the OCI IAM console.
  2. Click Identity& Security.
  3. Under Identity, click Users.
  4. In the table of database users, locate your database user name and left click it.

    The page for your user name is displayed.

  5. Click Edit User.
  6. In the Description field, edit your database user name and click Save Changes.
To delete an IAM Database User Name

To change your IAM database username:

  1. Log in to the OCI IAM console.
  2. Click Identity& Security.
  3. Under Identity, click Users.
  4. In the table of database users, locate your database user name and left click it.

    The page for your user name is displayed.

  5. At the right end of the row that contains your user name click the three-dot menu and then click Delete.