About Identity and Access Management (IAM) Authentication with Autonomous Database

You can enable an Autonomous Database instance to use Oracle Cloud Infrastructure (IAM) authentication and authorization for users.

Note:

Autonomous Database integration with Oracle Cloud Infrastructure IAM is supported in commercial regions with identity domains as well as in the legacy IAM, which does not include identity domains. IAM with identity domains was introduced with new Oracle Cloud Infrastructure tenancies that were created after November 8, 2021. Autonomous Database supports users and groups in default and non-default identity domains.

Oracle Cloud Infrastructure IAM integration with Autonomous Database supports the following:

See Authenticating and Authorizing IAM Users for Oracle Autonomous Databases for complete details about the architecture for using IAM users on Autonomous Database.

IAM Database Password Authentication

You can enable an Autonomous Database instance to allow user access with an Oracle Cloud Infrastructure IAM database password (using a password verifier).

Note:

Any supported 12c and above database client can be used for IAM database password access to Autonomous Database.

An Oracle Cloud Infrastructure IAM database password allows an IAM user to log in to an Autonomous Database instance as Oracle Database users typically log in with a user name and password. The user enters their IAM user name and IAM database password. An IAM database password is a different password than the Oracle Cloud Infrastructure Console password. Using an IAM user with the password verifier you can login to Autonomous Database with any supported database client.

For password verifier database access, you create the mappings for IAM users and OCI applications to the Autonomous Database instance. The IAM user accounts themselves are managed in IAM. The user accounts and user groups can be in either the default domain or in a custom, non-default domain.

Identity and Access Management (IAM) SSO Token Based Authentication

You can enable an Autonomous Database instance to use Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) SSO tokens.

For token verifier database access, you create the mappings for IAM users and OCI applications to the Autonomous Database instance. The IAM user accounts themselves are managed in IAM. The user accounts and user groups can be in either the default domain or in a custom, non-default domain.

There are several ways a database client can obtain an IAM database token:

  • A client application or tool can request the database token from IAM for the user and can pass the database token through the client API. Using the API to send the token overrides other settings in the database client. Using IAM tokens requires the latest Oracle Database client 19c (at least 19.16). Some earlier clients provide a limited set of capabilities for token access.

  • If the application or tool does not support requesting an IAM database token through the client API, the IAM user can first use Oracle Cloud Infrastructure command line interface (CLI) to retrieve the IAM database token and save it in a file location. For example, to use SQL*Plus and other applications and tools using this connection method, you first obtain the database token using the Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI). If the database client is configured for IAM database tokens, when a user logs in with the slash login form, the database driver uses the IAM database token that has been saved in a default or specified file location.

  • A client application or tool can use an Oracle Cloud Infrastructure IAM instance principal or resource principal to get an IAM database token, and use the IAM database token to authenticate itself to an Autonomous Database instance.

  • IAM users and OCI applications can request a database token from IAM with several methods, including using an API-key. See Configuring a Client Connection for SQL*Plus That Uses an IAM Token for an example. See About Authenticating and Authorizing IAM Users for an Oracle Autonomous Database for a description of other methods such as using a delegation token within an OCI cloud shell.