Prerequisites

To use the authentication_oci plugin, you need an authentication key-pair, a configuration file, and properly defined policy statements.

To use the authentication_oci plugin, you require the following:

  • Either of the following credentials:
    • An API key-pair: Local or provisioned users can use a public-private API key-pair that is properly registered in IAM and an API fingerprint. You need the key-pair and fingerprint for every individual user and mapped group member. See Required Keys and OCIDs.
    • An IAM security token: Local, federated, or provisioned users can use an IAM security token generated using the Oracle Cloud Infrastructure command-line interface. See Generating an IAM Security Token.
  • A configuration file with a valid fingerprint and key_file value. For authentication using an IAM security token, specify a valid security_token_file value. See SDK and CLI configuration file.
  • The following policy statement defined in each tenancy you intend to connect:
    Allow service mysql_dp_auth to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, 
      DYNAMIC_GROUP_INSPECT} IN TENANCY

    This policy statement must be attached to the root compartment so that it covers the whole tenancy. To do this, you have to select the root compartment when you add the policy, and use the IN TENANCY parameter. It does not work if it is created in a sub-compartment with IN COMPARTMENT <CompartmentName> in place of IN TENANCY.

    The above policy has been deprecated in version 9.4.0 and will be removed in a later version. For version 9.4.0 or higher, it is recommended to use the following policy:
    Allow any-user to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, 
      DYNAMIC_GROUP_INSPECT} in tenancy where request.principal.type = 'mysqldbsystem'
    Note

    If you want to use the principals across different tenancies, you need an Admit policy in the target tenancy (where users and groups are defined) and an Endorse policy in the tenancy where the resource (HeatWave DB system) is instantiated as described below.
    • Define the following in the target tenancy containing the users and groups:
      Define tenancy <resource_tenancy_name> AS <resource_tenancy_OCID>
      Admit any-user of tenancy <resource_tenancy_name> TO {AUTHENTICATION_INSPECT, 
        GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} in tenancy 
        where request.principal.type = 'mysqldbsystem'
    • Define the following in the resource tenancy containing the DB system:
      Define tenancy <target_tenancy_name> AS <target_tenancy_OCID>
      Endorse any-user to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, 
        DYNAMIC_GROUP_INSPECT} in tenancy <target_tenancy_name> 
        where request.principal.type = 'mysqldbsystem'

Related Topics

Generating an IAM Security Token

Local, federated, or provisioned users can use an IAM security token to authenticate via the authentication_oci plugin.

Using the CLI

Use the Oracle Cloud Infrastructure command-line interface to generate an IAM security token.

  1. Run the following command in Oracle Cloud Infrastructure command-line interface:
    oci session authenticate
  2. When prompted, choose the region.
    A web browser is launched.
  3. In the browser, enter your user credentials.
  4. Enter the profile name you would like to create in the command-line interface.
    The IAM security token is generated along with an ephemeral key-pair. The authentication information is saved to the .config file. By default, the security token expires in one hour.
  5. (Optional) To refresh the security token (within the validity period) for an hour, run the following command:
    oci session refresh --profile <profile_name>
    You can refresh the token up to 24 hours.