Connect to Oracle Object Storage
Learn to create a connection to Oracle Object Storage to use as a target with OCI GoldenGate.
Before you begin
If you want to use resource principals to authenticate and connect to an OCI resource, ensure that you:
-
Create a dynamic group for your deployment. You can choose to authorize a single deployment or all deployment in a compartment or tenancy. See Writing matching rules to define dynamic groups. For example:
ALL {resource.type = 'goldengatedeployment', resource.compartment.id = 'compartment_ocid'} -
Add the required policies for the dynamic group. For example:
allow dynamic-group <dynamic-group-name> to manage object-family in tenancy
If you want to use Vault and Secrets, ensure that you add the policies for to enable access, such as use secrets, use vaults, and read secret-bundles. For more information, see Minimum recommended policies.
Create the connection
To create an Oracle Object Storage connection:
-
From the OCI GoldenGate Overview page, select Connections.
You can also select Create Connection under the Get started section and skip to step 3.
-
On the Connections page, select Create Connection.
-
On the Create Connection page, complete the fields as follows:
-
For Name, enter a name for the connection.
-
(Optional) For Description, enter a description that helps you distinguish this connection from others.
-
(For GoldenGate on Multicloud only) Select your Subscription, and then complete the following fields.
-
From the Compartment dropdown, select the compartment in which the Resource Anchor resides.
-
Select the Multicloud partner region.
-
Select your Partner availability zone. The available options populate based on the selected Multicloud partner region.
-
-
For Compartment, select the compartment in which to create the connection.
-
For Type, select Oracle Object Storage.
-
For Region, select the Oracle Object Storage region.
-
For User, select one of the following options:
-
Use current tenancy and user, and then enter the following information:
-
Select the Private key secret. If located in a different compartment, use the dropdown to change compartments.
-
(Optional) Select the Private key passphrase secret. If located in a different compartment, use the dropdown to change compartments.
-
For Public key fingerprint, enter the API key created for the user.
-
-
Use resource principal to authenticate and access other OCI resources.
-
Specify another tenancy and user, and then enter the following information:
-
Enter the Tenancy OCID.
-
Enter the User OCID.
-
Select the Private key secret. If located in a different compartment, use the dropdown to change compartments.
-
Select the Private key passphrase secret. If located in a different compartment, use the dropdown to change compartments.
-
For Public key fingerprint, enter the API key created for the user.
-
Note:
-
Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you use with OCI services. To create a secret, see Creating a secret. Ensure that you:
-
Select Manual secret generation.
-
Paste the credentials into Secret contents.
-
-
If you prefer not to use password secrets, ensure that you deselect Use secrets in vault in the Security section under Advanced Options, located at the bottom of this form.
-
When you need to update the Secret content, ensure that you:
-
Create a new Secret version using the Plain-Text template and provide the updated content. For more information, see Updating a Secret’s Content.
-
Refresh the connection to clear cached Secret content.
-
-
-
Expand Show advanced options. You can configure the following options:
-
Security
-
Deselect Use vault secrets you prefer not to use password secrets for this connection. If not selected:
-
Select Use Oracle-managed encryption key to leave all encryption key management to Oracle.
-
Select Use customer-managed encryption key to select a specific encryption key stored in your OCI Vault to encrypt your connection credentials.
-
-
-
Network connectivity
-
Shared endpoint, to share an endpoint with the assigned deployment. You must allow connectivity from the deployment's ingress IP.
-
Dedicated endpoint, for network traffic through a dedicated endpoint in the assigned subnet in your VCN. You must allow connectivity from this connection's ingress IPs.
Note:
- If a dedicated connection remains unassigned for seven days, then the service converts it to a shared connection.
- Learn more about Oracle GoldenGate connectivity.
-
-
Security attributes: Add security attributes to control access to this connection using Zero Trust Packet Routing (ZPR).
-
Tags: Add tags to organize your resources.
-
-
-
Select Create.
After the connection is created, it appears in the Connections list. Ensure that you assign the connection to a deployment to use it as a target in a replication.
Next steps
Known Issues
Oracle Object Storage replication error when using Resource Principal
If your Oracle Object Storage connection uses Resource Principal authentication, the Replicat fails with the following error:
ERROR 2025-06-12 14:48:16.000489 [main] - An exception has occurred: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "path" is null java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "path" is nullWorkaround: To work around this issue, edit the connection, and then select a different authentication method.
User OCID Mismatch in Oracle Object Storage connection (Federated users only)
If a federated user selects Use current user when creating an Oracle Object Storage connection, their OCID doesn’t match the OCID picked up by the system.
Workaround: When you create an Oracle Object Storage connection, ensure that you choose Specify another user, and then enter the federated user’s OCID.
To find the user OCID, select Profile in the Oracle Cloud console global header, and then select the user name. On the User Details page, under User Information, select Show for OCID.