IDCS Users Can Now Use the Oracle Cloud Infrastructure SDK and CLI

We're announcing an enhancement to our federation capabilities using Oracle Identity Cloud Service. Available today, users who are federated with IDCS can directly access the Oracle Cloud Infrastructure SDK and CLI.

This enhancement supports a broad range of use cases, including the simplification of governance and management tasks.  You can now use an IDCS user for all CLI access.  For example, IDCS users can use scripts to automate common tasks using the CLI as well as integrating OCI tasks with other infrastructure tools and systems you might use.  For another example, if you want to create a script that copies files to Object Storage, you can now do that by using an IDCS user instead of creating a local Oracle Cloud Infrastructure user. As a result, you can greatly reduce the number of users that you have to secure and manage.

Federation enables you to use identity management software to manage users and groups. All tenancies created after December 2017 are automatically federated with IDCS. If you're an IDCS user, that means your can leverage the same set of credentials across all Oracle Cloud solutions, including Oracle Cloud Applications and Oracle Cloud Infrastructure. In addition, all users that are members of IDCS groups that are mapped to Oracle Cloud Infrastructure groups will be synchronized from IDCS to Oracle Cloud Infrastructure. This synchronization enables you to control which IDCS users have access to Oracle Cloud Infrastructure and to consolidate all user management in IDCS. To take advantage of this new feature, follow the setup process described in Upgrading Your Oracle Identity Cloud Service Federation. 

Next, I'd like to give an example of a cost management scenario that is greatly simplified by this feature. Let's say you want to run a Python script, using the SDK, that finds and terminates compute instances that don't have the CostCenter cost tracking tag. Instead of creating a local Oracle Cloud Infrastructure user, you can set up a user in IDCS to run this script. You would follow these steps to enable this scenario:

Step 1: Ensure that your federation has been upgraded

If you haven't already followed the setup process described in Upgrading Your Oracle Identity Cloud Service Federation, do so now.

Step 2: Set up the user in IDCS and associate that user with the correct groups

Managing all your users from your identity provider is a more scalable, manageable, and secure way to manage your user identities. Be sure to follow the principal of least privilege by creating an IDCS user and associating that user with only the IDCS groups that they need to do their job.

Step 3: Set up the Oracle Cloud Infrastructure group

Create a local Oracle Cloud Infrastructure group that will be used for this task, and ensure that it has a policy that enables just the access control that it needs to do the work. Consider setting up a group specifically for the type of administrator you want (for example, compute instances administrator). For a detailed explanation of best practices in setting up granular groups and access policy, see the Oracle Cloud Infrastructure Security white paper. You can also create the group when you map it.

Step 4: Map the IDCS group to the Oracle Cloud Infrastructure group

Follow the instructions on adding groups and users for tenancies federated with Oracle Identity Cloud Service, and ensure that you map the correct group from IDCS to the equivalent group in Oracle Cloud Infrastructure. You will that you succeeded if you see users created in your tenancy from IDCS (there is a filter that allows you to see only federated users). You can also create groups as you map them.

Step 5: Set up the user with an API key

Now that the IDCS user exists as a provisioned user in Oracle Cloud Infrastructure, you must create an API key pair and upload it to the user. Each user should have their own key pair. See the SDK setup instructions for details.

Step 6: Check the user's capabilities 

As a final check, ensure that the user has the capability to use the CLI or SDK. You could also set the user's capabilities to use only the SDK and not the web console.

Now you've set up the IDCS user so that they can take advantage of the SDK and run scripts that the Oracle Cloud Infrastructure user has been granted.   

Tips

• You know that the user is federated if the user name is prefixed with the name of the identity provider. By default, IDCS is called oracleidentitycloudservice. For example, oracleidentitycloudservice/Martin.
• If no users are being replicated, verify that you've followed the setup procedure and mapping between the groups. If that doesn’t work, visit My Oracle Support to open a support ticket.
• Only users assigned to mapped groups are replicated. If you see some users but not the IDCS user that you want, that user doesn't belong to a group that has been mapped from IDCS to Oracle Cloud Infrastructure.
• To use the SDK or CLI, the client that runs the CLI or SDK must have the matching private key material stored on the client machine. Secure the client machine appropriately to prevent inappropriate access.

Conclusion

Stay tuned for future feature announcements regarding federation. We plan to support other federation providers, and we'll keep you informed as we make updates.