Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)

You can establish a connection between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and Oracle Access Governance by entering connection details and configuring your cloud service provider environment. To achieve this, use the Connected Systems functionality available in the Oracle Access Governance Console.

Set Up Identity Resources on OCI to Connect to Oracle Access Governance

Before you can establish a connection, you need to create, manage, and provision identity resources in your cloud tenancy.

Prerequisites

The following prerequisites must be satisfied to integrate with Oracle Access Governance with OCI IAM:
  • Your cloud account must use Identity Domains to manage identities on OCI.
  • As a cloud administrator, you must be able to manage identities in the Default domain and manage policies in the root compartment of your tenancy.

You must set up the following in your cloud tenancy:

  • Create a local identity user: agcs_user in the Default domain of your root compartment.
  • Create an identity group: agcs_group in the Default domain of your root compartment.
  • Edit user capabilities and select API keys for agcs_user
  • Assign identity user agcs_user to the identity group agcs_group
  • Add the following group policies in tenancy:
    ALLOW GROUP <group_name> to read all-resources IN TENANCY
ALLOW GROUP <group_name> to manage policies IN TENANCY
ALLOW GROUP <group_name> to manage domains IN TENANCY
You can either manually perform these actions on OCI, or use a Terraform script to automatically set up these identity resources.

Note:

We recommend using the Terraform script to create and manage your identity resources and avoid any technical glitches or errors during the setup.

After you have set up the above mentioned identity resources, you need to generate API Keys for the identity user, and make a note of the Oracle Cloud Identifier (OCID) which you will use to configure your cloud provider.

Set up Identity Resources Manually

Follow the steps and the links provided to set up identity resources manually in your cloud tenancy.

  1. Create an identity user, agcs_user, in the Default domain for Oracle Access Governance access.
  2. Provision the user with the following capabilities:
    • API keys: Select the check box for API authentication.
  3. Create an identity group, agcs_group, in the Default domain for Oracle Access Governance API access and user assignment.
  4. Assign the identity user (agcs_user) to the identity group (agcs_group)
  5. Create the following policies for the identity group in the root compartment:
    ALLOW GROUP agcs_group to read all-resources IN TENANCY
ALLOW GROUP agcs_group to manage policies IN TENANCY
ALLOW GROUP agcs_group to manage domains IN TENANCY

Set up Identity Resources using a Script

Use a Terraform script to automatically create, manage, and provision the identity resources. Perform the following tasks for running the Terraform script:

  1. Create a Terraform Script File
    1. Copy the following script in a text editor and save it with the .tf file extension.
      variable "compartment_ocid" {}
variable "region" {}

provider "oci" {
  region = var.region
}

#Identity group
resource "oci_identity_group" "agcs_group" {

  compartment_id = var.compartment_ocid
  description    = "Group for AGCS API Access"
  name           = "agcs_group"

  freeform_tags = { "AGCS" = "true" }
}

#AGCS User
resource "oci_identity_user" "agcs_user" {

  compartment_id = var.compartment_ocid
  description    = "Local User for AGCS access"
  name           = "agcs_user"
  email          = <Set your email address>

  freeform_tags = { "AGCS" = "true" }
}

#AGCS User Capabilities
resource "oci_identity_user_capabilities_management" "agcs_user_capabilities_management" {

  user_id                      = oci_identity_user.agcs_user.id
  can_use_api_keys             = "true"
  can_use_auth_tokens          = "false"
  can_use_console_password     = "false"
  can_use_customer_secret_keys = "false"
  can_use_smtp_credentials     = "false"
}

# AGCS Policy
resource "oci_identity_policy" "agcs_policy" {
  compartment_id = var.compartment_ocid
  description    = "AGCS Policy"
  name           = "agcs_policy"
  statements = ["ALLOW GROUP agcs_group to read all-resources IN TENANCY",
    "ALLOW GROUP agcs_group to manage policies IN TENANCY",
  "ALLOW GROUP agcs_group to manage domains IN TENANCY"]

  freeform_tags = { "AGCS" = "true" }
}

# Group assignment
resource "oci_identity_user_group_membership" "agcs_group" {
  group_id = oci_identity_group.agcs_group.id
  user_id  = oci_identity_user.agcs_user.id
}
    2. Update the cloud administrator email address in the email field to a valid email address and enable creation of the identity user.
    3. Replace any other value that you may want to update.
    4. Compress the file folder and save it with the .zip file extension.
  2. Use the Stack Service of OCI Resource Manager to run Terraform Script

    Use OCI Resource Manager to run the Terraform script. In this task, you will:

    1. Sign in to https://cloud.oracle.com. using your Cloud Administrator credentials.
    2. When you have successfully logged in, select region depending on your home region location. For example, from the top navigation menu, select US East (Ashburn).
    3. Open the Navigation Menu navigation menu icon and select Developer Services.
    4. Under Resource Manager, click Stacks.
    5. On the left pane, choose a compartment.
    6. Click Create Stack. The Create Stack page is displayed with the Stack Information tab opened by default.
    7. Select My Configuration.
    8. In Stack Configuration, select the .Zip file option, and then drag and drop your terraform zip file in the marked space.
      Create Stack Configuration

    9. Enter the stack name and its description. Then, select the compartment.
    10. Enter Terraform version as 1.0.x and then click Next.
    11. If applicable, review the compartment_ocid and region variable values.
    12. Click Next to review the stack configuration,
    13. To automatically provision resources on creation of the stack, select Run apply, and then click Create. The Stack details page is displayed.
  3. Parse the Script and Preview the Expected Output
    1. On the Stack details page, click Plan.
    2. Modify the job name, if required, and then click Plan. The Job details page is displayed with the Accepted state. Wait for a few minutes till the job displays the Succeeded state.
    3. You can view the logs indicating the set of actions that this terraform script will perform. Alternatively, you can download the logs file.
      Terraform Job Logs

    4. From the navigation menu, go to Identity & Security, and check the newly created resources in the Default domain. For example,
      • agcs_policy under Policies
      • agcs_user under DomainsDefault domain → Users
      • agcs_group under DomainsDefault domain→ Groups
      • Within agcs_group, the agcs_user is assigned to that group

Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console

After you have set up the identity resources, you need to generate API Keys for the identity user (agcs_user) and note OCID for that identity user. You will use it to configure your cloud environment on the Oracle Access Governance Console.

  1. In OCI console, from the navigation menu, select Identity & Security, and then Domains→ your compartment, and then from the left pane, select Users.
  2. Select the agcs_user that the script automatically created.
  3. On the left pane, in the Resources section, select API keys.
    Generate API Key

  4. Select Add API key, and then select Generate API key pair .
  5. Download the private key and save it.
  6. Click Add. The configuration file is created displaying ocid, fingerprint, tenancy and region details. Save the information available on the configuration file in a separate text file.
    API Configuration Details

Establish Connection by Adding a New Cloud Service Provider - OCI IAM

Integration with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) is achieved by configuring a new cloud service provider with the Oracle Access Governance Console.

  1. In a browser, navigate to the Oracle Access Governance service home page and log in as a user with the Administrator application role.
  2. On the Oracle Access Governance service home page, click on the Navigation Menu icon and select Administration → Connected Systems. Select the Add a connected system button from the Connected Systems page.
  3. Select Add from the Would you like to connect to a cloud service provider? tile. This will navigate you to the Add a Cloud Service Provider workflow, which guides you through the steps required to configure Oracle Access Governance integration with Oracle Cloud Infrastructure Identity and Access Management.
  4. Select system is the first step of the workflow. Select the Oracle Cloud Infrastructure tile. Once selected, a value of Oracle Cloud Infrastructure is displayed on the right hand side under What I've selected. Click Next.
  5. Next step is Enter details where you enter name and description for the cloud service provider. Enter values for the following:
    • What do you want to call your cloud service provider?: Enter a name for the cloud service provider. Do not add space while naming your connected system.
    • How do you want to describe this cloud service provider?: Optionally, enter a description for the cloud service provider.
  6. Next step is Configure where you add connection details for your cloud service provider. Enter the following values for your cloud service provider.

    Note:

    If you used the method explained in the Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console task to generate API keys and OCID for a user (agcs_user), then directly enter the saved values.
    • What is the OCI user's OCID?: Enter the Oracle Cloud Identifier (OCID) for the OCI user you will use to connect to the target. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID. For example, ocid1.user.oc1..aabdgsegsccawmw2o6qraopae7egmlochlopclhnwxq6pctu6oocgn
    • What is the OCI user's fingerprint?: Enter the fingerprint of the public key of the API Signing Key for the OCI instance you will be connecting to. Steps to retrieve the fingerprint can be found in How to Get the Key's Fingerprint, The fingerprint will look similar to this: 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef.
    • What is the OCI user's private SSH key?: Enter the private SSH key (.pem file) for the API Signing Key. Copy it directly from the text editor or use the cat command to open the SSH key file from console.
    • What is the OCI tenancy OCID?: Enter the OCID for the target tenancy. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID.
    • What is the OCI tenancy's home region?: Enter the home region for the target OCI tenancy, using the region identifier. The region identifier for your home region can be found in Regions, the identifier for US East (Ashburn) is us-ashburn-1, for example. For further information on home region, see The Home Region, and How do I find my tenancy home region?.
    Observe that the details you enter are added to the list of What I've selected. Click Add to create the cloud service provider. If the configuration details are correct, then the connection is validated and displays "Success" on the console. The Full Data Load operation is completed within a few minutes and displays "Success" on the console. The system automatically runs incremental data load every four hours to sync data with the connected system.

    Note:

    You cannot create multiple connected systems using the same tenancy ID. Use unique tenancy for each system.