1. Concepts Guide
  2. Identity and Access Management Overview
  3. User Credentials

User Credentials

Different types of credentials are managed through the Identity and Access Management (IAM) service:

  • Account password: for signing in to the Compute Web UI to work with cloud resources in the tenancy. Note that passwords for federated users are not managed through IAM because the identity provider controls their login activity.

  • API signing key: for sending API requests, which require authentication. These keys must be created in PEM format.

Account Passwords

When creating a new user account, the tenancy administrator generates a one-time password and delivers it to the user in a secure way. When users sign in for the first time, they are prompted to change this password. After 7 days the one-time password expires and an administrator will need to generate a new one.

After signing in successfully with the new password, users can start working with cloud resources in the tenancy, in accordance with the permissions they have been granted.

All users are allowed to change their own password, which can be done through the Compute Web UI. Users who forgot their password must request a tenancy administrator to reset the password for them.

After 10 unsuccessful login attempts in a row, a user is automatically locked out of the system. A tenancy administrator needs to unblock the account.

API Signing Keys

Users who need to make API requests must add an RSA public key to their user profile. Both the private and public key must be in PEM format, with a minimum length of 2048 bits. Users must generate a private/public key pair on their local machine and upload the public key to their profile.

Alternatively, a tenancy administrator can generate the API keys and complete the profile setup for all users. This is a requirement for non-human user accounts: systems that make API requests without human operation. For such systems, the administrator needs to create a user account with signing keys, but without password.

On the system from where API requests are sent, a directory named .oci must be created inside the user home directory. The .oci directory must contain a configuration file with required parameters for interaction with the API server. Make sure it lists the correct path to where the private key file is stored, if it is not in the same directory. API requests are signed using the private key.

A user account can contain a maximum of 3 API signing keys at a time. API signing keys are different from the SSH keys you use to access a compute instance.