Prerequisites

To use the authentication_oci plugin, you need an authentication key-pair, a configuration file, and properly defined policy statements.

To use the authentication_oci plugin, you require the following:

  • Either of the following credentials:
    • An API key-pair: Local or provisioned users can use a public-private API key-pair that is properly registered in IAM and an API fingerprint. You need the key-pair and fingerprint for every individual user and mapped group member. See Required Keys and OCIDs.
    • An IAM security token: Local, federated, or provisioned users can use an IAM security token generated using the Oracle Cloud Infrastructure command-line interface. See Generating an IAM Security Token.
  • A configuration file with a valid fingerprint and key_file value. For authentication using an IAM security token, specify a valid security_token_file value. See SDK and CLI configuration file.
  • The following policy statement defined in each tenancy you intend to connect:
    ALLOW service mysql_dp_auth TO {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} IN TENANCY

    This policy statement must be attached to the root compartment so that it covers the whole tenancy. To do this, make sure you have the root compartment selected when you add the policy, and use the IN TENANCY parameter.

    You can create a policy like this in a sub-compartment if you use IN COMPARTMENT <CompartmentName> in place of IN TENANCY, but that is not sufficient to use the authentication_oci plugin. If the statement returns an error, double-check what compartment you are in, and choose the root compartment.

Related Topics

Generating an IAM Security Token

Local, federated, or provisioned users can use an IAM security token to authenticate via the authentication_oci plugin.

Using the CLI

Use the Oracle Cloud Infrastructure command-line interface to generate an IAM security token.

  1. Run the following command in Oracle Cloud Infrastructure command-line interface:
    oci session authenticate
  2. When prompted, choose the region.
    A web browser is launched.
  3. In the browser, enter your user credentials.
  4. Enter the profile name you would like to create in the command-line interface.
    The IAM security token is generated along with an ephemeral key-pair. The authentication information is saved to the .config file. By default, the security token expires in one hour.
  5. (Optional) To refresh the security token (within the validity period) for an hour, run the following command:
    oci session refresh --profile <profile_name>
    You can refresh the token up to 24 hours.