We are enhancing our federation support by enabling users who are federated with Okta to directly access the Oracle Cloud Infrastructure SDK and CLI.
Federation enables you to use identity management software - often times this is existing an existing identity management solution that is integrated with your corporate directory - to manage users and groups while giving them access to the Oracle Cloud Infrastructure Console, CLI, and SDK. If you're an Okta user, that means you can leverage the same set of credentials in the Oracle Cloud Infrastructure web console as well as in long-running, unattended CLI or SDK scripts. Users that are members of Okta groups that you select are synchronized from Okta to Oracle Cloud Infrastructure. You control which Okta users have access to Oracle Cloud Infrastructure, and you can consolidate all user management in Okta. To use this new feature, follow the setup process described in the documentation.
Following is an example cost-management scenario that is greatly simplified by this feature. Suppose that you want to use the SDK to run a Python script that finds and terminates compute instances that don't have the CostCenter cost tracking tag. Instead of creating a local Oracle Cloud Infrastructure user, you can set up a user in Okta to run this script. You would follow these steps to enable this scenario:
If you do not have an existing federation with Okta, follow the instructions in the white paper, Oracle Cloud Infrastructure Okta Configuration for Federation and Provisioning. This paper includes instructions for both setting up your federation and provisioning with SCIM.
If you have an existing federation with Okta with group mappings that you want to maintain, you can add SCIM provisioning via the instructions in our documentation.
Managing all your users from your identity provider is a more scalable, manageable, and secure way to manage your user identities. Be sure to follow the principal of least privilege by creating an Okta user and associating that user with only the Okta groups that they need to do their job.
Create a local Oracle Cloud Infrastructure group that will be used for the task and ensure that it has a policy that enables just the access control needed for the task. Consider setting up a group specifically for the type of administrator that you want (for example, compute instances administrator). For a detailed explanation of best practices in setting up granular groups and access policies, see the Oracle Cloud Infrastructure Security white paper. You can also create the group when you map it (next step).
Follow the instructions on adding groups and users for tenancies federated with Okta, and ensure that you map the correct group from Okta to the equivalent group in Oracle Cloud Infrastructure. You will know that you succeeded if you see users created in your tenancy from Okta (there is a filter that allows you to see only federated users).
Now that the Okta user exists as a provisioned user in Oracle Cloud Infrastructure, you must create an API key pair and upload it to the user. Each user should have their own key pair. For details, see the SDK setup instructions.
As a final check, ensure that the user has the capability to use API keys. You can also set the user's capabilities to use only API keys for the SDK and not the web console.
Now you've set up the Okta user to use the SDK and run scripts that the Oracle Cloud Infrastructure user has access to.
This feature streamlines how Okta users can be used with Oracle Cloud Infrastructure and especially the CLI and SDK. Stay tuned for future feature announcements regarding federation.