Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Enable Auto Rotation of Oracle Cloud Infrastructure Identity and Access Management Credentials

Introduction

This tutorial helps to auto rotate Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) credentials that is API key, Auth token, Customer secret keys and OCI Console log in passwords. It is based on Oracle Cloud Guard problem remediation and OCI Notifications service. It also fulfills the gap of default responder rules to rotate the OCI IAM credentials.

Oracle Cloud Guard detects problems based on rules defined in the policies. Once a rule is satisfied, it creates a problem.

It is a security best practice and recommended by The Center for Internet Security Oracle Cloud Infrastructure Foundations (CIS OCI Foundations) Benchmark to rotate the credentials every 90 days.

Note: This solution has been tested for a default identity domain.

Objectives

• Rotate the Oracle Cloud Infrastructure (OCI) Auth token, API key, Customer secret key and OCI Console password through automation by remediating Oracle Cloud Guard problem. The following Oracle Cloud Guard problems are utilized for auto rotation of OCI IAM credentials.

  • API key is too old
  • IAM Auth token is too old
  • IAM Customer secret key is too old
  • Password is too old

Prerequisites

OCI IAM administrator should create:

• Dynamic group and policies for OCI Functions to invoke, remediate problem and send email notification.

  • Dynamic Group: Create dynamic group for function compartment. For more information, see Creating a Dynamic Group.

    # Replace OCID for function compartment
    All {resource.type = 'fnfunc', resource.compartment.id = '<function-compartment>'}
    
    Example:
    All {resource.type = 'fnfunc', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaanovmfmmnonjjyxeq4jyghszj2eczlrkgj5svnxrt...'}
    

  • Policies: Create policies to assign dynamic group for function. For more information, see Getting Started with Policies.

    # Replace dynamic-group-name, function-compartment and OCID of vault secret for OCI function
    
    Allow dynamic-group <dynamic-group-name> to inspect compartments in tenancy
    Allow dynamic-group <dynamic-group-name> to inspect users in tenancy
    Allow dynamic-group <dynamic-group-name> to manage users in tenancy where any {request.permission = 'USER_UPDATE', request.permission = 'USER_AUTHTOKEN_SET', request.permission = 'USER_AUTHTOKEN_REMOVE', request.permission = 'USER_SECRETKEY_ADD', request.permission = 'USER_SECRETKEY_REMOVE', request.permission = 'USER_UIPASS_SET', request.permission = 'USER_APIKEY_ADD', request.permission = 'USER_APIKEY_REMOVE'}
    Allow dynamic-group <dynamic-group-name> to read repos in compartment <function-compartment>
    Allow dynamic-group <dynamic-group-name> to use secret-family in compartment <vault-compartment> where target.secret.id='<ocid of OCI vault secret to store rotated OCI secrets>'
    Allow dynamic-group <dynamic-group-name> to use ons-topics in tenancy
    

• Compartment, group and policies for developer to create secrets and deploy the function.

  # Replace group-name as per your tenancy
  Allow group <group-name> to manage repos in compartment <function-compartment>
  Allow group <group-name> to manage vaults in compartment <function-compartment>
  Allow group <group-name> to manage keys in compartment <function-compartment>
  Allow group <group-name> to manage secret-family in compartment <function-compartment>
  Allow group <group-name> to manage functions-family in compartment <function-compartment>
  Allow group <group-name> to use cloud-shell in tenancy
  Allow group <group-name> to use virtual-network-family in compartment <network-compartment>
  Allow group <group-name> to read objectstorage-namespaces in tenancy
  

• OCI Notifications Topic for SecOps team to receive email notifications.

• Oracle Cloud Infrastructure Secrets in Vault to store rotated OCI IAM credentials created by automation.

  Note : Make sure you have copied existing OCI IAM credentials for Oracle Cloud Infrastructure Secrets in Vault before running this automation for the first time.

Task 1: Create and Deploy OCI Functions

1. Log in to the OCI Console and click Cloud Shell from the top navigation.

   Note: You can also use your own IDE tool to create and deploy a function.

2. Create a function using Fn project CLI from cloud shell. For more information, see Creating, Deploying, and Invoking a Helloworld Function.

   fn init --runtime python <function-name>
   
   Example: fn init --runtime python rotatecred-func
   

3. Change the directory to the newly created directory.

4. Create app to deploy the function using the following command.

   # Specify the OCID of subnet
   fn create app <app-name> --annotation oracle.com/oci/subnetIds='["<subnet OCID>"]'
   
   Example:  fn create app rotatecredapp --annotation oracle.com/oci/subnetIds='["ocid1.subnet.oc1.ap-mumbai-1.aaaaaaaabitp32dkyox37qa3tk3evl2nxivwb....."]'
   

5. Copy and paste the following script in func.py by overwriting the existing content.

   # python script for auto rotation of OCI IAM credentials
   import io
   import json
   import logging
   import oci
   import base64
   from fdk import response
   from Cryptodome.PublicKey import RSA
   
   # Get Resource Principal Credentials
   signer = oci.auth.signers.get_resource_principals_signer()
   
   # Initialize client
   identity_client = oci.identity.IdentityClient(config={}, signer=signer)
   onsclient = oci.ons.NotificationDataPlaneClient(config={}, signer=signer)
   vault_client = oci.vault.VaultsClient(config={}, signer=signer)
   
   # Get tenancy id and name
   tenancy_data = identity_client.get_tenancy(tenancy_id=signer.tenancy_id).data
   t_name = str(tenancy_data.name)
   t_id = signer.tenancy_id
   
   # Get secret OCID from comments
   def get_secret_ocids(comments_items,find_name):
      secret_ocid = ""
      for comment in comments_items:
         if comment.split(":")[0] == find_name:
               secret_ocid = comment.split(":")[1]
      return secret_ocid
   
   # Function to store secret in OCI vault
   def update_secret(vault_client,secret_id,new_value):
      # Base64 encode
      new_token_ascii = new_value.encode("ascii")
      base64_bytes = base64.b64encode(new_token_ascii)
      base64_string = base64_bytes.decode("ascii")
   
      # Create new version of secret
      vault_client.update_secret(secret_id=secret_id,update_secret_details=oci.vault.models.UpdateSecretDetails(secret_content=oci.vault.models.Base64SecretContentDetails(content_type="BASE64", content=base64_string)))
   
   def handler(ctx, data: io.BytesIO=None):
      try:
         cfg = ctx.Config()
         ons_topic = cfg["ons_topic"]
         body = json.loads(data.getvalue())
   
         # Get common parameters values
         e_time = str(body["eventTime"]).lstrip()
         problem_name = str(body["data"]["additionalDetails"]["problemName"]).lstrip()
         status = "NOT RESOLVED"
         resource_name = str(body["data"]["resourceName"]).lstrip()
         user_ocid = str(body["data"]["additionalDetails"]["problemAdditionalDetails"]["User OCID"]).lstrip()
         target_resource_name = str(body["data"]["additionalDetails"]["resourceName"]).lstrip()
         target_resource_id = str(body["data"]["additionalDetails"]["resourceId"]).lstrip()
         risk_level = str(body["data"]["additionalDetails"]["riskLevel"]).lstrip()
         comments = str(body["data"]["additionalDetails"]["problemAdditionalDetails"]["comments"]).lstrip()
         comments_items = comments.split(",")
         additional_details = "\r\r\nAction : Closure comments was not in required format hence, no action by automation."
   
         try:
               # Check Problem Type
               if problem_name == "PASSWORD_TOO_OLD":
                  identity_client.create_or_reset_ui_password(user_id=user_ocid)
                  additional_details = "\r\r\nAction : Your password has been reset by the System Administrator as per password policy rotation. Please set new password by clicking on forgot password from OCI console. "
                  status = "RESOLVED"
   
               elif problem_name == "AUTH_TOKEN_TOO_OLD":
                  auth_secret_ocid = get_secret_ocids(comments_items,"auth_secret_ocid")
                  if auth_secret_ocid != "":
                     # Delete existing auth token
                     identity_client.delete_auth_token(user_id=user_ocid, auth_token_id=target_resource_id)
                     # Create new auth token
                     create_auth_token_response = identity_client.create_auth_token(
                     create_auth_token_details=oci.identity.models.CreateAuthTokenDetails(description=target_resource_name),user_id=user_ocid).data
                     new_value = create_auth_token_response.token
                     # Store new auth token in vault secret
                     update_secret(vault_client,auth_secret_ocid,new_value)
                     additional_details = '\r\nAuth Token - Secret OCID : ' + auth_secret_ocid
                     status = "RESOLVED"
   
               elif problem_name == "SECRET_KEY_TOO_OLD":
                  access_id_secret_ocid = get_secret_ocids(comments_items, "accesskey_secret_ocid")
                  secret_key_secret_ocid = get_secret_ocids(comments_items, "secretkey_secret_ocid")
                  if access_id_secret_ocid != "" and secret_key_secret_ocid != "":
                     # Delete existing customer secrete key
                     delete_secret_key_response = identity_client.delete_customer_secret_key(user_ocid, target_resource_id).data
                     # Create new customer secret key
                     create_customer_secret_key_response = identity_client.create_customer_secret_key(create_customer_secret_key_details=oci.identity.models.CreateCustomerSecretKeyDetails(display_name=target_resource_name),user_id=user_ocid).data
                     new_secret_key = str(create_customer_secret_key_response.key)
                     new_access_key_id = str(create_customer_secret_key_response.id)
                     # Store new customer secret key in vault secret
                     update_secret(vault_client,secret_key_secret_ocid,new_secret_key)
                     update_secret(vault_client,access_id_secret_ocid,new_access_key_id)
                     additional_details = '\r\nAccess Key - Secret OCID : ' + access_id_secret_ocid + \
                              '\r\nSecret Key - Secret OCID : ' + secret_key_secret_ocid
                     status = "RESOLVED"
   
               elif problem_name == "API_KEY_TOO_OLD":
                  key_fingerprint = target_resource_id.split("/")[2]
                  api_secret_ocid = get_secret_ocids(comments_items,"api_secret_ocid")
                  if api_secret_ocid != "":
                     key = RSA.generate(2048)
                     key_private = key.exportKey()
                     pubkey = key.publickey()
                     key_public = pubkey.exportKey()
                     # Delete existing API key
                     delete_api_key_response = identity_client.delete_api_key(user_id=user_ocid,fingerprint=key_fingerprint)
                     # Upload new public API key in OCI for the user
                     upload_api_key_response = identity_client.upload_api_key(user_id=user_ocid,
                                                                              create_api_key_details=oci.identity.models.CreateApiKeyDetails(
                                                                                    key=key_public.decode()))
                     # Store content of new private key in vault secret
                     update_secret(vault_client,api_secret_ocid,key_private.decode())
                     additional_details = '\r\nSecret OCID for private API key : ' + api_secret_ocid
                     status = "RESOLVED"
         except Exception as e:
               additional_details = '\r\r\n Error: '+ str(e)
   
         # Message Body Customization, it can be updated as per need
         line_head = 'Oracle Cloud Notification' + '\n====================='
         message_body = line_head + \
                        '\r\r\nProblem Name : ' + problem_name + \
                        '\r\r\nRisk Level : ' + risk_level + \
                        '\r\nEvent Time : ' + e_time + \
                        '\r\nTenancy Name : ' + t_name + \
                        '\r\nTenancy ID : ' + t_id + \
                        '\r\r\nAdditional Details : ' + '\n-------------------------' \
                        '\r\nResource Name : ' + target_resource_name + \
                        '\r\nResource ID : ' + target_resource_id + \
                        '\r\nResource User OCID : ' + user_ocid + ' ' + additional_details
   
         # Message Title
         message_title = 'Problem : ' + resource_name + ' | ' + status +' by automation '
   
         # Message Detail
         message_details = oci.ons.models.MessageDetails(body=message_body, title=message_title)
   
         # Publish message to ONS
         onsclient.publish_message(ons_topic, message_details)
   
      except (Exception, ValueError) as ex:
         logging.getLogger().info('error parsing json payload: ' + str(ex))
   
      return response.Response(ctx, response_data=json.dumps({"message": "success"}),headers={"Content-Type": "application/json"})
   

6. Update requirements.txt as shown below.

   fdk>=0.1.59
   oci
   pycryptodomex
   

7. Run the following command to deploy the function.

   fn -v deploy --app <app-name>
   
   Example: fn -v deploy --app rotatecredapp
   

8. Execute the following command to add function configuration for config key and value.

   • ons_topic : Use Oracle Cloud Identifier (OCID) of notification topic for receiving email notification.

   fn config function <app-name> <function-name> <config-key> <config-value>
   
   Example: fn config function rotatecredapp rotatecred-func ons_topic ocid1.onstopic.oc1.ap-mumbai-1.aaaaaaaau3onlufcfz.......kae26637zovwd7q
   

Task 2: Create a Event Rule

1. Go to OCI Console and click Observability & Management.

2. Under Events Service, click Rules and Create Rule.

3. In the Create Rule page, enter the Name for the rule and the Description of what the rule does.

4. In the Rule Conditions section, enter the following information to specify event type and action to trigger the function.

   • Condition: Event Type.
   • Service Name: Cloud Guard.
   • Event Type: Remediated-Problem.
   • Attribute Name: ProblemRecommendation.
   • Attribute Values:
     • Rotate IAM Console password regularly, at least every 90 days.,
     • Rotate IAM Auth token regularly, at least every 90 days.,
     • Rotate IAM Customer secret keys regularly, at least every 90 days.,
     • Rotate API keys regularly, at least every 90 days.

   Following image is a example of Oracle Cloud Guard problem remediation event.

   

Task 3: Remediate Oracle Cloud Guard Problem

1. Go to OCI Console and click Identity & Security.

2. Under Cloud Guard, click Problems.

3. Click one of the supported problem for auto rotation.

4. Click Mark as resolved and enter the following information in Comment section as per following format. You can add additional information as per your organization process along with following information separated by commas (,).

   • IAM Customer secret key is too old.

     accesskey_secret_ocid:<OCID of access key secret>,secretkey_secret_ocid:<OCID of secret key secret>,<additional comments>

     

   • API key is too old.

     api_secret_ocid:<OCID of api key secret>,<additional comments>

     

   • IAM Auth token is too old.

     auth_secret_ocid:<OCID of auth token secret>,<additional comments>

     

   • Password is too old.

     Note:

     • There is no required information to include in comments for this problem.
     • Password should be reset by the individual user by clicking Forgot password on next login. User should have valid email address to receive email notifications.

Task 4: Validate a New OCI IAM Credential and Email Notification

You will receive problem resolution email notification with details of rotated secret OCID and additional information.

Related Links

• Create and Deploy functions to OCI Functions

Acknowledgments

• Author - Dipesh Kumar Rathod (Master Principal Cloud Architect, Infrastructure)

• Contributor - Bhanu Prakash Lohumi (Senior Cloud Engineer, Infrastructure)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Enable Auto Rotation of Oracle Cloud Infrastructure Identity and Access Management Credentials

F93259-01

February 2024

Copyright © 2024, Oracle and/or its affiliates.