To use the authentication_oci plugin, you need an authentication key-pair, a configuration file, and properly defined policy statements.

To use the authentication_oci plugin, you require the following:

• Either of the following credentials:
  • An API key-pair: Local or provisioned users can use a public-private API key-pair that is properly registered in IAM and an API fingerprint. You need the key-pair and fingerprint for every individual user and mapped group member. See Required Keys and OCIDs.
  • An IAM security token: Local, federated, or provisioned users can use an IAM security token generated using the Oracle Cloud Infrastructure command-line interface. See Generating an IAM Security Token.
• A configuration file with a valid fingerprint and key_file value. For authentication using an IAM security token, specify a valid security_token_file value. See SDK and CLI configuration file.
• The following policy statement defined in each tenancy you intend to connect:

  ALLOW service mysql_dp_auth TO {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} IN TENANCY

  This policy statement must be attached to the root compartment so that it covers the whole tenancy. To do this, make sure you have the root compartment selected when you add the policy, and use the IN TENANCY parameter.

  You can create a policy like this in a sub-compartment if you use IN COMPARTMENT <CompartmentName> in place of IN TENANCY, but that is not sufficient to use the authentication_oci plugin. If the statement returns an error, double-check what compartment you are in, and choose the root compartment.