X

Use the CLI with Restricted Object Storage Buckets

Lawrence Gabriel
Solutions Architect

The Oracle Cloud Infrastructure CLI is ideal for configuring and working with Object Storage.

Oracle Cloud Infrastructure offers a variety of tools to help develop apps and manage infrastructure resources. The Oracle Cloud Infrastructure CLI is an Oracle-maintained Python tool that extends the core functionality of the Console; is compatible with Windows, Mac, or Linux hosts; and can be used for scripting without requiring SDK coding. Visit the official CLI documentation for details.

As part of a recent project, I used the CLI to upload large VMDK files to the Oracle Cloud Infrastructure Object Storage service so that I could create custom compute images from them. I was able install the CLI on an admin host that had access to both the NFS datastores and the internet for connection to Object Storage.

For this post, I want to go beyond showing you how to set up the CLI and use an administrator API key. This post covers the other components of Oracle Cloud Infrastructure that you can use to configure a user that is allowed to use the CLI to upload objects only to a specific storage bucket.

Prepare

To track all the necessary values for the configuration files, create a plain text file. If you want to use different values, just ensure that the OCI Config Section and OCI CLI RC Section headers are the same. The CLI uses the header value to identify the profile name.

Following is an example of my text file:

## Basics ##
username=restricteduploader
groupname=RestrictedObjectUploads
compartment=RestrictedObjectStorage

## OCI Config Section ##
[RestrictedUploader]
key_file=/home/opc/.oci/oci_api_key.pem
fingerprint=
region=
user=
tenancy=
 
## OCI CLI RC Section ##
[RestrictedUploader]
compartment-id=
bucket-name=Uploads
namespace=
part-size=500
parallel-upload-count=10
 
## Public Key Section ##

Let's get started.

Install the CLI

  1. Open a terminal and run the installer script:

    bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

    The CLI is open source and hosted on GitHub. Modify the default installation options as needed.

  2. Restart the shell so that you can run commands:

    `exec -l $SHELL`
  3. Use the CLI to create an API key pair.

    oci setup keys
  4. Copy the API key fingerprint that is shown in the command output to your text file.

  5. Record the public API key.
    cat ~/.oci/oci_api_key_public.pem
  6. Copy the API public key to your text file.

Set Up Oracle Cloud Infrastructure

  1. Select a region in which to place the Object Storage bucket, and add that region to your text file.

  2. Create a user in the tenancy's root compartment and create an API key with the public key value from your text file.

  3. Copy the user OCID to your text file by using the Copy link.
  4. Create a group and add the user to it. This group will be referenced in the upcoming IAM policy.

  5. Create a compartment to house the Object Storage bucket. Copy the tenancy OCID and compartment OCID to your text file.

  6. Create an Object Storage bucket. Be sure to select the new compartment in the List Scope menu. Note that the namespace of the bucket is the tenancy's root compartment. Then, add the bucket name and namespace to your text file.

  7. Create an IAM policy that grants restrictive permission to the new group. Our common IAM policies page has an example for letting users write objects to Object Storage buckets. The OBJECT_OVERWRITE permission is additionally required for multi-part uploads. For more information, see IAM Policy Reference for Object Storage.
    Allow group RestrictedObjectUploads to read buckets in compartment RestrictedObjectStorage
    Allow group RestrictedObjectUploads to manage objects in compartment RestrictedObjectStorage where all {target.bucket.name='Uploads', any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT', request.permission='OBJECT_OVERWRITE'}}
    

Configure and Test the CLI

  1. On the CLI host, create the CLI configuration file from the OCI Config Section of your text file. For example:
    vi ~/.oci/config
    
    [RestrictedUploader]
    key_file=/home/opc/.oci/oci_api_key.pem
    fingerprint=c2:9d:24:ac:74:3d:5c:f2:ab:20:2e:c2:cd:2e:fc:fb
    region=us-phoenix-1
    user=ocid1.user.oc1..aaaaaaaa3iu6c4nlt7z5wtrhe5urqqf55s3woh5azv6eoys4utbabh2mhymq
    tenancy=ocid1.tenancy.oc1..aaaaaaaaifim3dm572fswbh6z7ipi4uvqoiw7nrmjqwfnbolyn4blyh4gjiq
    
  2. Use the CLI to fix the file permissions:
    oci setup repair-file-permissions --file ~/.oci/config
    
  3. On the OCI CLI host, create the CLI RC file from the OCI CLI RC Section of your text file. For example:
    vi ~/.oci/oci_cli_rc
    
    [RestrictedUploader]
    compartment-id=ocid1.compartment.oc1..aaaaaaaa6hrtrukpweultpjt73573kkgjbqfw57rah6vk5myghnqhv3olwfq
    bucket-name=Uploads
    namespace=internallawrencegabriel
    part-size=50
    parallel-upload-count=10
    
    
  4. Test the upload.
    oci --profile RestrictedUploader os object put --file .oci/config
    
    

Done!

Large, multipart Object Storage uploads is one of the many things that the CLI can help you do. For example, you can also use the CLI to change the display name of resources in a tenancy, because not all resources can be renamed via the Console.

If you don't have an Oracle Cloud Infrastructure account, you can sign up for a free trial with US$300 in free credits.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha