Creating Resource Principal Authenticator Provider
To access OCI resource using a resource principal you can use the Resource Principal Authenticator Provider in you application.
The following are sample Java application examples.
Sample Java code that creates resource principal authenticator and connects to Object Storage
import com.oracle.bmc.Region;
import com.oracle.bmc.auth.ResourcePrincipalAuthenticationDetailsProvider;
import com.oracle.bmc.objectstorage.ObjectStorage;
import com.oracle.bmc.objectstorage.ObjectStorageClient;
import com.oracle.bmc.objectstorage.model.CreateBucketDetails;
import com.oracle.bmc.objectstorage.requests.CreateBucketRequest;
import com.oracle.bmc.objectstorage.requests.GetBucketRequest;
import com.oracle.bmc.objectstorage.requests.GetBucketRequest.Fields;
import com.oracle.bmc.objectstorage.requests.GetNamespaceRequest;
import com.oracle.bmc.objectstorage.requests.PutObjectRequest;
import com.oracle.bmc.objectstorage.responses.GetBucketResponse;
import com.oracle.bmc.objectstorage.responses.GetNamespaceResponse;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
/**
* Example to get a bucket and its statistics.
*
* <p>This example first creates a bucket in the compartment corresponding to the compartment OCID
* passed as the first argument to this program. The name of the bucket created is same as the
* second argument to the program. It also creates an object in this bucket whose name is the third
* argument. It then illustrates how we can get a bucket and its statistics (Estimated Size and
* Estimated Count).
*
* Example program uses BDS resource principal to do auth, Make sure to set following env variables
* before executing thr program
*
* <ul>
* <li>OCI_RESOURCE_PRINCIPAL_VERSION=2.2
* <li>OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM=/etc/security/tokens/rpst.pem
* <li>OCI_RESOURCE_PRINCIPAL_REGION=us-ashburn-1
* <li>OCI_RESOURCE_PRINCIPAL_RPST=/etc/security/tokens/rpst.token
* </ul>
*
* Also ensure, the user who executes this program have access to above location
*
* @param args Arguments to provide to the example. The following arguments are expected:
* <ul>
* <li>The first argument is the OCID of the compartment.
* <li>The second is the name of bucket to create and later fetch
* <li>The third is the name of object to create inside bucket
* </ul>
*/
public class BdsListObjectExample {
public static void main(String[] args) throws Exception {
if (args.length != 3) {
throw new IllegalArgumentException(
"Unexpected number of arguments received. Consult the script header comments for expected arguments");
}
ResourcePrincipalAuthenticationDetailsProvider provider = ResourcePrincipalAuthenticationDetailsProvider.builder().build();
final String compartmentId = args[0];
final String bucket = args[1];
final String object = args[2];
final Region region = Region.US_ASHBURN_1; //Can be updated based on the region where object is stored
try(ObjectStorage objectStorageClient =
ObjectStorageClient.builder().region(region).build(provider)) {
System.out.println("Getting the namespace.");
GetNamespaceResponse namespaceResponse =
objectStorageClient.getNamespace(GetNamespaceRequest.builder().build());
String namespaceName = namespaceResponse.getValue();
System.out.println("Creating the source bucket.");
CreateBucketDetails createSourceBucketDetails =
CreateBucketDetails.builder().compartmentId(compartmentId).name(bucket).build();
CreateBucketRequest createSourceBucketRequest =
CreateBucketRequest.builder()
.namespaceName(namespaceName)
.createBucketDetails(createSourceBucketDetails)
.build();
objectStorageClient.createBucket(createSourceBucketRequest);
System.out.println("Creating the source object");
PutObjectRequest putObjectRequest =
PutObjectRequest.builder()
.namespaceName(namespaceName)
.bucketName(bucket)
.objectName(object)
.contentLength(4L)
.putObjectBody(
new ByteArrayInputStream("data".getBytes(StandardCharsets.UTF_8)))
.build();
objectStorageClient.putObject(putObjectRequest);
System.out.println("Creating Get bucket request");
List<Fields> fieldsList = new ArrayList<>(2);
fieldsList.add(GetBucketRequest.Fields.ApproximateCount);
fieldsList.add(GetBucketRequest.Fields.ApproximateSize);
GetBucketRequest request =
GetBucketRequest.builder()
.namespaceName(namespaceName)
.bucketName(bucket)
.fields(fieldsList)
.build();
System.out.println("Fetching bucket details");
GetBucketResponse response = objectStorageClient.getBucket(request);
System.out.println("Bucket Name : " + response.getBucket().getName());
System.out.println("Bucket Compartment : " + response.getBucket().getCompartmentId());
System.out.println(
"The Approximate total number of objects within this bucket : "
+ response.getBucket().getApproximateCount());
System.out.println(
"The Approximate total size of objects within this bucket : "
+ response.getBucket().getApproximateSize());
}
}
}
/**
Maven Dependencies. Version can be updated as per the requirement. This example is validated with version 3.43.0 of SDK
<dependency>
<groupId>com.oracle.oci.sdk</groupId>
<artifactId>oci-java-sdk-objectstorage</artifactId>
<version>3.43.0</version>
</dependency>
<dependency>
<groupId>com.oracle.oci.sdk</groupId>
<artifactId>oci-java-sdk-common</artifactId>
<version>3.43.0</version>
</dependency>
<dependency>
<groupId>com.oracle.oci.sdk</groupId>
<artifactId>oci-java-sdk-common-httpclient-jersey</artifactId>
<version>3.43.0</version>
</dependency>
**/Sample Python code to do various operation in OCI vault using Big Data Service resource principal
# coding: utf-8
# Copyright (c) 2016, 2024, Oracle and/or its affiliates. All rights reserved.
# This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
import oci
import sys
from datetime import datetime
from datetime import timedelta
# ==========================================================
# Ensure to set the following env variable before running this code,
# OCI_RESOURCE_PRINCIPAL_VERSION=2.2
# OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM=/etc/security/tokens/rpst.pem
# OCI_RESOURCE_PRINCIPAL_REGION=us-ashburn-1
# OCI_RESOURCE_PRINCIPAL_RPST=/etc/security/tokens/rpst.token
#
# This file provides examples of basic key management service usage
# * - Get a vault
# * - Create a vault
# Management endpoint operations
# * - Get a key
# * - Create a key
# * - Enable a key
# * - Disable a key
# Secrets Management operations
# * - Create a secret
# * - Create a new secret version
# * - Update a secret
# * - Move a secret to a new compartment
# * - Delete a secret
# Documentation : https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm
# Usage : python secret_examples.py compartment_id
def create_vault(compartment_id, vault_name, sac_composite):
print(" Creating vault {} in {} compartment.".format(vault_name,
compartment_id))
# Create vault_details object that needs to be passed when creating vault.
vault_details = oci.key_management.models.CreateVaultDetails(
compartment_id=compartment_id,
vault_type="DEFAULT",
display_name=vault_name)
print("Vault details {}.".format(vault_details.vault_type))
# Since vault creation is asynchronous; we need to wait for the stream to become active.
response = sac_composite.create_vault_and_wait_for_state(
vault_details,
wait_for_states=[oci.key_management.models.Vault.LIFECYCLE_STATE_ACTIVE])
return response
def get_vault(client, vault_id):
return client.get_vault(vault_id)
def create_key(key_mgmt_composite, key_name, compartment_id):
print(" Creating key {} in compartment {}.".format(key_name, compartment_id))
# Create key_details object that needs to be passed when creating key.
key_shape = oci.key_management.models.KeyShape(algorithm="AES", length=32)
key_details = oci.key_management.models.CreateKeyDetails(
compartment_id=compartment_id,
display_name=key_name,
key_shape=key_shape)
# Since key creation is asynchronous; we need to wait for the key to become enabled.
response = key_mgmt_composite.create_key_and_wait_for_state(key_details,
wait_for_states=[
oci.key_management.models.Key.LIFECYCLE_STATE_ENABLED])
return response
def get_key(client, key_id):
return client.get_key(key_id)
def enable_key(key_mgmt_composite, key_id):
print(" Enabling key {}.".format(key_id))
# Since enabling key is asynchronous; we need to wait for the key to become enabled.
response = key_mgmt_composite.enable_key_and_wait_for_state(key_id,
wait_for_states=[
oci.key_management.models.Key.LIFECYCLE_STATE_ENABLED])
return response
def disable_key(key_mgmt_composite, key_id):
print(" Disabling key {}.".format(key_id))
# Since disabling key is asynchronous; we need to wait for the key to become disabled.
response = key_mgmt_composite.disable_key_and_wait_for_state(key_id,
wait_for_states=[
oci.key_management.models.Key.LIFECYCLE_STATE_DISABLED])
return response
def create_secret(vaults_client_composite, compartment_id, secret_content, secret_name, valult_id, key_id):
print("Creating a secret {}.".format(secret_name))
# Create secret_content_details that needs to be passed when creating secret.
secret_description = "This is just a test"
secret_content_details = oci.vault.models.Base64SecretContentDetails(
content_type=oci.vault.models.SecretContentDetails.CONTENT_TYPE_BASE64,
name=secret_content,
stage="CURRENT",
content=secret_content)
secrets_details = oci.vault.models.CreateSecretDetails(compartment_id=compartment_id,
description=secret_description,
secret_content=secret_content_details,
secret_name=secret_name,
vault_id=vault_id,
key_id=key_id)
# Create secret and wait for the secret to become active
response = vaults_client_composite.create_secret_and_wait_for_state(create_secret_details=secrets_details,
wait_for_states=[
oci.vault.models.Secret.LIFECYCLE_STATE_ACTIVE])
return response
def create_newsecret_version(vaults_client_composite, secret_content, secret_id):
print("Creating a new secret version {}.".format(secret_id))
# Create secret_content_details that needs to be passed when updating secret content.
secret_content_details = oci.vault.models.Base64SecretContentDetails(
content_type=oci.vault.models.SecretContentDetails.CONTENT_TYPE_BASE64,
stage="CURRENT",
content=secret_content)
secrets_details = oci.vault.models.UpdateSecretDetails(secret_content=secret_content_details)
# Create new secret version and wait for the new version to become active.
response = vaults_client_composite.update_secret_and_wait_for_state(secret_id,
secrets_details,
wait_for_states=[
oci.vault.models.Secret.LIFECYCLE_STATE_ACTIVE])
return response
def get_secret(vaults_client, secret_id):
return vaults_client.get_secret(secret_id)
def delete_secret(vaults_client, secret_id, deletion_time):
print("Deleting a secret")
# Create Secret deletion details object.
secret_deletion_details = oci.vault.models.ScheduleSecretDeletionDetails(time_of_deletion=deletion_time)
# secret_deletion_details = oci.vault.models.ScheduleSecretDeletionDetails()
# Delete the secret or mark the secret for deletion
response = vaults_client.schedule_secret_deletion(secret_id, secret_deletion_details)
print("Secret deletion response is: {}.".format(response.data))
def delete_secret_version(vaults_client, secret_id, deletion_time, secret_version_number):
print("Deleting a specific version of a secret")
# Create Secret version deletion object
secret_version_deletion_details = oci.vault.models.ScheduleSecretVersionDeletionDetails(time_of_deletion=deletion_time)
# Delete the secret version or mark the version for deletion.
response = vaults_client.schedule_secret_version_deletion(secret_id,
secret_version_number=secret_version_number,
schedule_secret_version_deletion_details=secret_version_deletion_details)
print("Secret deletion response is: {}.".format(response.data))
def move_secret(vaults_client, secret_id, target_compartment_id):
print("Moving secret to a target compartment")
# Create an object of Change Secret Compartment Details
target_compartment_details = oci.vault.models.ChangeSecretCompartmentDetails(compartment_id=target_compartment_id)
# Move the secret to target compartment and then wait for the state to become active.
response = vaults_client.change_secret_compartment(secret_id, change_secret_compartment_details=target_compartment_details)
target_state = oci.vault.models.Secret.LIFECYCLE_STATE_ACTIVE.lower()
try:
waiter_result = oci.wait_until(
vaults_client,
vaults_client.get_secret(secret_id),
evaluate_response=lambda r: getattr(r.data, 'lifecycle_state') and getattr(r.data, 'lifecycle_state').lower() == target_state,
waiter_kwargs={}
)
result_to_return = waiter_result
print("Change compartment response is {}.".format(result_to_return.data))
return result_to_return
except Exception as e:
raise oci.exceptions.CompositeOperationError(partial_results=[response], cause=e)
if len(sys.argv) != 2:
raise RuntimeError(
'This example expects an ocid for the secret to read.')
compartment_id = sys.argv[1]
resource_principal_signer = oci.auth.signers.get_resource_principals_signer()
secret_content = "TestContent"
secret_name = "TestSecret"
VAULT_NAME = "KmsVault"
KEY_NAME = "KmsKey"
# Vault client to create vault
kms_vault_client = oci.key_management.KmsVaultClient({}, signer=resource_principal_signer)
kms_vault_client_composite = oci.key_management.KmsVaultClientCompositeOperations(
kms_vault_client)
# This will create a vault in the given compartment
vault = create_vault(compartment_id, VAULT_NAME, kms_vault_client_composite).data
# vault = get_vault(kms_vault_client, vault_id).data
vault_id = vault.id
print(" Created vault {} with id : {}".format(VAULT_NAME, vault_id))
# Vault Management client to create a key
vault_management_client = oci.key_management.KmsManagementClient({}, signer=resource_principal_signer,
service_endpoint=vault.management_endpoint)
vault_management_client_composite = oci.key_management.KmsManagementClientCompositeOperations(
vault_management_client)
# Create key in given compartment
key = create_key(vault_management_client_composite, KEY_NAME, compartment_id).data
# key = get_key(vault_management_client,key_id).data
key_id = key.id
print(" Created key {} with id : {}".format(KEY_NAME, key.id))
# Vault client to manage secrets
vaults_client = oci.vault.VaultsClient({}, signer=resource_principal_signer)
vaults_management_client_composite = oci.vault.VaultsClientCompositeOperations(vaults_client)
secret = create_secret(vaults_management_client_composite, compartment_id, secret_content, secret_name, vault_id, key_id).data
secret_id = secret.id
print("Secret ID is {}.".format(secret_id))
secret_deletion_time = datetime.now() + timedelta(days=2)
delete_secret(vaults_client, secret_id, secret_deletion_time)For more information, see oci-python-sdk Example.
Sample Python SDK on CURD operation in Object Storage using Big Data Service Resource Principal
# coding: utf-8
# Copyright (c) 2016, 2024, Oracle and/or its affiliates. All rights reserved.
# This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
# Ensure to set the following env variable before running this code,
# OCI_RESOURCE_PRINCIPAL_VERSION=2.2
# OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM=/etc/security/tokens/rpst.pem
# OCI_RESOURCE_PRINCIPAL_REGION=us-ashburn-1
# OCI_RESOURCE_PRINCIPAL_RPST=/etc/security/tokens/rpst.token
import filecmp
from datetime import datetime, timedelta
import pytz
import oci
from oci._vendor import urllib3
from oci.object_storage.models import CreateBucketDetails
from oci.object_storage.models import CreatePreauthenticatedRequestDetails
resource_principal_signer = oci.auth.signers.get_resource_principals_signer()
compartment_id = "<<compartment_ocid>>"
object_storage = oci.object_storage.ObjectStorageClient({}, signer=resource_principal_signer)
namespace = object_storage.get_namespace().data
bucket_name = "python-sdk-example-bucket"
object_name = "python-sdk-example-object"
my_data = b"Hello, World!"
par_name = "python-sdk-example-par"
print("Creating a new bucket {!r} in compartment {!r}".format(
bucket_name, compartment_id))
request = CreateBucketDetails()
request.compartment_id = compartment_id
request.name = bucket_name
bucket = object_storage.create_bucket(namespace, request)
print("Uploading new object {!r}".format(object_name))
obj = object_storage.put_object(
namespace,
bucket_name,
object_name,
my_data)
same_obj = object_storage.get_object(
namespace,
bucket_name,
object_name)
print("{!r} == {!r}: {}".format(
my_data, same_obj.data.content,
my_data == same_obj.data.content))
print('Uploading a file to object storage')
# First create a sample file
sample_content = b'a' * 1024 * 1024 * 5
with open('example_file', 'wb') as f:
f.write(sample_content)
# Then upload the file to Object Storage
example_file_object_name = 'example_file_obj'
with open('example_file', 'rb') as f:
obj = object_storage.put_object(namespace, bucket_name, example_file_object_name, f)
# Retrieve the file, streaming it into another file in 1 MiB chunks
print('Retrieving file from object storage')
get_obj = object_storage.get_object(namespace, bucket_name, example_file_object_name)
with open('example_file_retrieved', 'wb') as f:
for chunk in get_obj.data.raw.stream(1024 * 1024, decode_content=False):
f.write(chunk)
print('Uploaded and downloaded files are the same: {}'.format(filecmp.cmp('example_file', 'example_file_retrieved')))
# Creating a Pre-Authenticated Request
par_ttl = (datetime.utcnow() + timedelta(hours=24)).replace(tzinfo=pytz.UTC)
create_par_details = CreatePreauthenticatedRequestDetails()
create_par_details.name = par_name
create_par_details.object_name = object_name
create_par_details.access_type = CreatePreauthenticatedRequestDetails.ACCESS_TYPE_OBJECT_READ
create_par_details.time_expires = par_ttl.isoformat()
par = object_storage.create_preauthenticated_request(namespace_name=namespace, bucket_name=bucket_name,
create_preauthenticated_request_details=create_par_details)
# Get Object using the Pre-Authenticated Request
par_request_url = object_storage.base_client.get_endpoint() + par.data.access_uri
http = urllib3.PoolManager()
par_obj = http.request('GET', par_request_url).data.decode('utf-8')
print("Check object from PAR is same or not: {}".format(my_data == bytes(par_obj, 'utf-8')))
# Delete Pre-Authenticated Request
object_storage.delete_preauthenticated_request(namespace_name=namespace, bucket_name=bucket_name, par_id=par.data.id)
print("Deleting object {}".format(object_name))
object_storage.delete_object(namespace, bucket_name, object_name)
print("Deleting object {}".format(example_file_object_name))
object_storage.delete_object(namespace, bucket_name, example_file_object_name)
print("Deleting bucket {}".format(bucket_name))
object_storage.delete_bucket(namespace, bucket_name)For more information, see object_crud.pt Example.