The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Use the CLI with Restricted Object Storage Buckets

Lawrence Gabriel
Solutions Architect

The Oracle Cloud Infrastructure CLI is ideal for configuring and working with Object Storage.

Oracle Cloud Infrastructure offers a variety of tools to help develop apps and manage infrastructure resources. The Oracle Cloud Infrastructure CLI is an Oracle-maintained Python tool that extends the core functionality of the Console; is compatible with Windows, Mac, or Linux hosts; and can be used for scripting without requiring SDK coding. Visit the official CLI documentation for details.

As part of a recent project, I used the CLI to upload large VMDK files to the Oracle Cloud Infrastructure Object Storage service so that I could create custom compute images from them. I was able install the CLI on an admin host that had access to both the NFS datastores and the internet for connection to Object Storage.

For this post, I want to go beyond showing you how to set up the CLI and use an administrator API key. This post covers the other components of Oracle Cloud Infrastructure that you can use to configure a user that is allowed to use the CLI to upload objects only to a specific storage bucket.


To track all the necessary values for the configuration files, create a plain text file. If you want to use different values, just ensure that the OCI Config Section and OCI CLI RC Section headers are the same. The CLI uses the header value to identify the profile name.

Following is an example of my text file:

## Basics ##

## OCI Config Section ##
## OCI CLI RC Section ##
## Public Key Section ##

Let's get started.

Install the CLI

  1. Open a terminal and run the installer script:

    bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

    The CLI is open source and hosted on GitHub. Modify the default installation options as needed.

  2. Restart the shell so that you can run commands:

    `exec -l $SHELL`
  3. Use the CLI to create an API key pair.

    oci setup keys
  4. Copy the API key fingerprint that is shown in the command output to your text file.

  5. Record the public API key.
    cat ~/.oci/oci_api_key_public.pem
  6. Copy the API public key to your text file.

Set Up Oracle Cloud Infrastructure

  1. Select a region in which to place the Object Storage bucket, and add that region to your text file.

  2. Create a user in the tenancy's root compartment and create an API key with the public key value from your text file.

  3. Copy the user OCID to your text file by using the Copy link.
  4. Create a group and add the user to it. This group will be referenced in the upcoming IAM policy.

  5. Create a compartment to house the Object Storage bucket. Copy the tenancy OCID and compartment OCID to your text file.

  6. Create an Object Storage bucket. Be sure to select the new compartment in the List Scope menu. Note that the namespace of the bucket is the tenancy's root compartment. Then, add the bucket name and namespace to your text file.

  7. Create an IAM policy that grants restrictive permission to the new group. Our common IAM policies page has an example for letting users write objects to Object Storage buckets. The OBJECT_OVERWRITE permission is additionally required for multi-part uploads. For more information, see IAM Policy Reference for Object Storage.
    Allow group RestrictedObjectUploads to read buckets in compartment RestrictedObjectStorage
    Allow group RestrictedObjectUploads to manage objects in compartment RestrictedObjectStorage where all {target.bucket.name='Uploads', any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT', request.permission='OBJECT_OVERWRITE'}}

Configure and Test the CLI

  1. On the CLI host, create the CLI configuration file from the OCI Config Section of your text file. For example:
    vi ~/.oci/config
  2. Use the CLI to fix the file permissions:
    oci setup repair-file-permissions --file ~/.oci/config
  3. On the OCI CLI host, create the CLI RC file from the OCI CLI RC Section of your text file. For example:
    vi ~/.oci/oci_cli_rc
  4. Test the upload.
    oci --profile RestrictedUploader os object put --file .oci/config


Large, multipart Object Storage uploads is one of the many things that the CLI can help you do. For example, you can also use the CLI to change the display name of resources in a tenancy, because not all resources can be renamed via the Console.

If you don't have an Oracle Cloud Infrastructure account, you can sign up for a free trial with US$300 in free credits.

Join the discussion

Comments ( 2 )
  • Liz Hall Monday, July 27, 2020
    Great article. I'm following your steps, but there is on piece that is not clear to me: namespace. I have used your names for all the objects.

    Where did you create the namespace?

    The test fails with namespace not found.

    Thank you,
  • Lawrence Gabriel Monday, July 27, 2020
    @Liz, the Object Storage namespace for your tenancy is automatically created when your tenancy is provisioned.

    Your tenancy namespace can be found multiple ways.


    In this example, Step #6 of the Set Up Oracle Cloud Infrastructure section has a screenshot that shows the namespace as an attribute of the bucket.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha