Configuring the Provider

To interact with the Oracle Cloud Infrastructure (OCI) services and resources supported by the OCI Terraform provider, it needs to be configured with authentication credentials for an OCI account.


The OCI Terraform provider supports four authentication methods:

API Key Authentication

By default, the Terraform provider uses API Key authentication, but you can specify this explicitly by setting the auth attribute to "APIKey" in your provider definition. Calls to OCI using API Key authentication require that you provide the following credentials:

You can provide these values as Environment Variables or within Terraform configuration variables.

Instance Principal Authorization

Instance principal authorization allows your provider to make API calls from an OCI compute instance without needing the tenancy_ocid, user_ocid, private_key_path, and fingerprint attributes in your provider definition.


Instance principal authorization applies only to instances that are running in Oracle Cloud Infrastructure.

To enable instance principal authorization for OCI Terraform providers, set the auth attribute to "InstancePrincipal" in your provider definition, as shown in the following example:

variable "region" {}

provider "oci" {
   auth = "InstancePrincipal"
   region = "${var.region}"

For more information, see Calling Services from an Instance.

Resource Principal Authorization

Resource principal authorization, like instance principal authorization, allows your provider to make API calls without needing to provide credentials within the provider definition. Resource principal authorization is used to allow resources like a running function to access other Oracle Cloud Infrastructure resources. For more information, see Accessing Other Oracle Cloud Infrastructure Resources from Running Functions.

To enable resource principal authorization for OCI Terraform providers:

  1. Create the dynamic group and policies required for your running function to manage other OCI resources. Follow the instructions in Using the Console and ensure that your policy allows management of other resources.
  2. Set the following environment variables:

    • OCI_RESOURCE_PRINCIPAL_VERSION, containing the value 2.2.
    • OCI_RESOURCE_PRINCIPAL_RPST, containing the raw contents of the rpst file or the absolute path to the rpst file, including the filename.
    • OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM, containing the absolute path to the private.pem file (including the filename).
    • OCI_RESOURCE_PRINCIPAL_REGION, containing the region identifier in which the provider is deployed (for example, us-phoenix-1).
  3. Set the auth attribute to "ResourcePrincipal" in your provider definition, as shown in the following example:

    provider "oci" {
       auth = "ResourcePrincipal"
       region = "${var.region}"

Security Token Authentication

Security Token authentication allows you to run Terraform using a token generated with Token-based Authentication for the CLI. To enable Security Token authentication, set the auth attribute to "SecurityToken" and provide a value for config_file_profile in the provider definition. For example:

# Configure the Oracle Cloud Infrastructure provider to use Security Token authentication
provider "oci" {
  auth = "SecurityToken"
  config_file_profile = "PROFILE"

This token expires after one hour. Avoid using this authentication method when provisioning of resources takes longer than one hour. See Refreshing a Token for more information.

Environment Variables

It is common to export the required authentication values as environment variables, or source them in different bash profiles when executing Terraform commands.

If you primarily work in a single compartment, consider exporting the compartment OCID as an environment variable as well. The tenancy OCID is also the OCID of the root compartment, and can be used where any compartment OCID is required.


Terraform configuration file provider blocks can be completely removed if all API Key Authentication required values are provided as environment variables or are set in a *.tfvars file.

Setting environment variables in Unix and Linux

If your Terraform configurations are limited to a single compartment or user, then using this bash_profile option be sufficient. For more complex environments you may want to maintain multiple sets of environment variables.

In your ~/.bash_profile set these variables:

export TF_VAR_tenancy_ocid=<tenancy_OCID>
export TF_VAR_compartment_ocid=<compartment_OCID>
export TF_VAR_user_ocid=<user_OCID>
export TF_VAR_fingerprint=<key_fingerprint>
export TF_VAR_private_key_path=<private_key_path>

Once you've set these values, open a new terminal or source your profile changes:

$ source ~/.bash_profile

Setting environment variables in Windows

Configuring for Windows usage is largely the same:

setx TF_VAR_tenancy_ocid <tenancy_OCID>
setx TF_VAR_compartment_ocid <compartment_OCID>
setx TF_VAR_user_ocid <user_OCID>
setx TF_VAR_fingerprint <key_fingerprint>
setx TF_VAR_private_key_path <private_key_path>

The variables won't be set for the current session. Exit the terminal and reopen it before proceeding.


Ensure your keys are in PEM format. See How to Generate an API Signing Key for more information.

Using the SDK and CLI Configuration File

It is possible to define the required provider values in the same ~/.oci/config file that the SDKs and CLI use. For details on setting up this configuration, see SDK and CLI Configuration File.


Parameter names in the SDK and CLI configuration file are slightly different.

Terraform configuration file provider blocks can be completely removed if all API Key Authentication required values are provided as environment variables or are set in the ~/.oci/config file.

You can set a non-default OCI config profile as an environment value by using the following command:

export TF_VAR_config_file_profile=<config_file_profile_name>

You can also set the OCI config profile in a provider block. For example:

provider "oci" {
  tenancy_ocid = var.tenancy_ocid
  config_file_profile= var.config_file_profile

Order of Precedence

If the parameters are set in multiple locations, the order of precedence is as follows:

  1. The environment variable
  2. The non-default profile in the OCI config file, if provided
  3. The DEFAULT profile in the OCI config file