Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Resolve the ‘Cannot show information: Failed to get API session’ Error when using the OCI CLI Network Commands

Introduction

Encountering the Cannot show information: Failed to get API session error when using Oracle Cloud Infrastructure Command Line Interface (OCI CLI) network commands on Oracle Cloud Infrastructure (OCI) Compute instance can be frustrating, especially when you are managing critical network configurations.

In this tutorial, we will walk you through the common cause of this issue and provide step-by-step instructions to resolve it.

When Does This Error Occur?

The sudo oci-network-config show and sudo oci-network-config configure commands are part of the OCI networking utilities. These commands are used to manage and troubleshoot networking configurations in environments that interact with OCI.

• sudo oci-network-config show

  • Purpose: The sudo oci-network-config show command is used to display the current networking configuration on an OCI Compute instance.

  • Key Use Cases:

    • Troubleshoot network issues.
    • Verify the current Virtual Network Interface Card (VNIC) configuration, such as private IPs, public IPs, subnet information, and VLANs.
    • Ensure that the instance has the correct IP and routing configurations in a multi-cloud or hybrid setup.

• sudo oci-network-config configure

  • Purpose: The sudo oci-network-config configure command is used to reconfigure the networking settings of an instance, typically to make changes or to restore network connectivity.

  • Key Use Cases:

    • Attach or detach secondary VNICs.
    • Configure new IP addresses on existing VNICs.
    • Dynamically modify the network settings after updates to OCI resources like subnets or VLANs.
    • Ensure that instances comply with updated OCI network security rules or routing changes.

For example: Run the sudo oci-network-config show command and we will get the following error: Cannot show information: Failed to get API session.

1. Run the sudo oci-network-config show command to retrieve all network configurations from the instance.
2. Note the error: Cannot show information: Failed to get API session. The information regarding the VNICs of the instance will not be provided on the Operating System level and not on the OCI level.

This is not possible as we will get the same error when we run the command oci-network-config show that is Cannot show information: Failed to get API session.

Why are we getting this error?

• A VCN is not an object owned by an instance, which means the instance cannot directly access VCN information without proper authentication.

• To enable the instance to fetch VCN details from the API, you must create a dynamic group that includes the instance and assign a policy granting the necessary permissions.

To enable an OCI Compute instance to fetch VCN details through API, follow the steps:

1. Create a Dynamic Group: This dynamic group includes the instance(s) that require access to the API. You define the group using rules based on attributes like instance OCID or compartment.

2. Assign Permissions with a Policy: You need to create an Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) policy that grants the dynamic group permission to read or manage VCN-related resources. For example:

   allow dynamic-group <dynamic-group-name> to read virtual-network-family in compartment <compartment-name>
   

3. Use Instance, Principals, for Authentication: Instances in the dynamic group authenticate directly using their identity, allowing secure API access without embedding credentials in the application. This method simplifies security management while maintaining robust access control.

Objectives

• Resolve the Cannot show information: Failed to get API session error when using the OCI CLI network commands on OCI Compute instance.

Prerequisites

• Oracle Linux instance running inside OCI.

Resolve the Error

• Go to the OCI Console.

  1. Click the hamburger menu (≡), navigate to Compute, Instances and select the compute instance for which you want to run the following commands sudo oci-network-config show and sudo oci-network-config configure.
  2. Click Show to display the instance OCID value.
  3. Click Copy the copy the instance OCID value.

  

  1. Click the hamburger menu (≡), navigate to Identity, Domains, Default domain and click Dynamic groups.
  2. Click Create dynamic group.

  

  1. Enter a Name for the dynamic group. In this example, we will use sriov-test-04.
  2. Click Rule builder.

  

  1. Select Instance OCID in Match instances with.
  2. Enter the value of instance OCID in Value.
  3. Click Add rule.

  

  1. Note that a new rule is added to the group.
  2. Click Create.

  

• Now that we have the group to which the instance belongs, we need to create a policy within the compartments containing the instance. This policy will allow instances in the group to perform operations on VCN objects, such as subnets.

  1. Click the hamburger menu (≡), navigate to Identity and click Compartments.
  2. Click the root compartment. In this example, it is oraseemeaocids4.

  

  1. Note that we are now in the child compartments.
  2. Click the next child compartment. In this example, it is NETWORK.

  

  1. Note that we are now in the next child compartments.
  2. Click the next child compartment. In this example, it is Iwan.

  

  1. Make sure the right compartment is selected.
  2. Click Policies.
  3. Click Create Policy.

  

• In Create Policy, enter the following information.

  1. Enter a Name for the policy. In this example, we will use allow-sriov-test-04-to-vcn.
  2. Enter a Description for the policy. In this example, we will use allow-sriov-test-04-to-vcn.
  3. Select Show manual editor.
  4. Enter the following policy: allow dynamic-group sriov-test-04 to manage all-resources in compartment Iwan.
  5. Click Create.

  

• Note that the new policy statement inside the newly created policy.

  

• Now that we have allowed the instance to perform API calls through OCI CLI to the VCN.

  1. Run the sudo oci-network-config show command to retrieve all network configurations from the instance on the OCI level.
  2. Note that the error is now gone and OCI-level network output is provided.
  3. Note that the Operating System level network output is also provided after the OCI level network output.

  

Acknowledgments

• Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Resolve the 'Cannot show information: Failed to get API session' Error when using the OCI CLI Network Commands

G25212-01

January 2025

Copyright ©2025, Oracle and/or its affiliates.