Common Tasks
Find out how to perform common tasks to call services from an instance.
Use this curl command: curl http://169.254.169.254/opc/v1/identity/cert.pem
The certificate is rotated multiple times each day.
- Try to run the command again. Sometimes the certificate rotation and the request occur at the same time.
- The certificate might be expired. Verify the certificate is valid.
No. You can't change the frequency at which the certificate is rotated. However, you can change the policy on the dynamic group. If you think an instance has been compromised, you can either change the policy on the dynamic group to revoke permissions for all members of the group, or you can remove the instance from the dynamic group. See Can I remove an instance from a dynamic group?
The token expiration is independent of the certificate expiration period. And, it also depends on the application you are interacting with. For example, if Object Storage does not have a multipart PUT operation, then it does not matter how long the operation runs.
Yes. Ensure that only users who should be granted the access that you have granted to the dynamic group, have access to the instance.
Yes. You can remove it by modifying the matching rule to exclude it. See below for an example.
Yes. For example, assume you want to exclude two specific instances in a compartment from the dynamic group. Write a matching rule like this:
All {instance.compartment.id = '<compartment_ocid>',
instance.id != '<instance1_to_exclude_ocid>', instance.id != '<instance2_to_exclude_ocid>'}
The above rule includes all instances in the compartment except those with the OCIDs specified.