This publication empowers the Cloud Shell user to easily generate OCI Native Credentials. This post further simplifies “Discover OCI Native Credential with ease using Cloud Shell,” by Jameson White, which was inspired by “Autonomous Database Now Supports Accessing the Object Storage with OCI Native Authentication” by Can Tuzla. I will guide you through utilizing this easy to use oci command to get you on your way with credential creation and enabling execution directly in the Autonomous Database of your choice.
What is an OCI Native Credential?
To establish cloud storage connection from Data Studio to Oracle Cloud Infrastructure (OCI) Object storage service or other OCI related services, you must configure the cloud storage location with your OCI authentication details. This includes the User Oracle Cloud Identifier (OCID), Tenancy OCID, Private Cryptographic Key, and Fingerprint.
Why do I need an OCI Native Credential?
Navigating the complexities of Oracle Cloud Infrastructure credential management is essential for secure and efficient cloud operations.
How do I generate an OCI Native Credential?
There’s a new script located within the OCI CLI (Cloud Shell) that should make it easier for the user to create Native Credentials. The script is further enhanced to allow the user to choose their Autonomous Database then execute the scripts therein.
Since the script is located in the default PATH, specifically at /usr/local/bin, a user can execute it by simply typing ‘adb-create-cred.sh‘ in the terminal. The script provides prompts that guide the user through the credential creation process and then offers an opportunity to execute commands against their Autonomous Database. It utilizes basic OCI commands in bash script form, which are publicly documented. Our script simplifies the navigation of these commands. For additional guidance please look at Oracle Documentation, most notably Create Credentials to Access Cloud Services in Cloud Shell.
We strongly advocate for utilizing OCI Native Credentials as the preferred method over AuthTokens. However, recognizing certain legacy scenarios where AuthTokens are still required, users are given the option to generate them if needed (see example below).
Login to your Tenancy, then open the Cloud Shell.
Please ensure that you log in to the Tenancy containing both your desired Object Storage and Autonomous Databases for seamless connectivity. Additionally, any dependent services should also be within the same Tenancy for optimal functionality of this script.
Run ‘adb-create-cred.sh’
The script performs several actions automatically. It generates a Private Key, a Public Key, and a Fingerprint, then uploads them to your OCI Cloud Profile. Additionally, it creates two files: a JSON file and a SQL script for execution in your Autonomous Database.
To create an AI Profile for your Autonomous Database, enabling access to generative AI models and tools such as Select AI, enter ‘Y.’ Entering ‘N’ will skip profile creation.
If you wish to execute the scripts in your Autonomous Database, choose ‘Y’. However, selecting ‘N’ is also acceptable. In that case, you can simply copy both scripts into your preferred client tool for execution, which might be necessary in scenarios like using a Virtual Cloud Network (VCN) or passing credentials to another database user.
Please note that generating a compartment list could take some time, depending on your Tenancy’s size and access permissions. Your choice will result in a list of Compartments containing Autonomous Databases accessible to you.
Subsequently, you’ll receive a list of Autonomous Databases (ADB-S) within the chosen Compartment. After selecting the desired ADB-S, the script sets up your Wallet file. You’ll then be prompted for your username and password to connect to the Autonomous Database where you want the credential scripts executed.
The script provides feedback and allows you to run these scripts on additional ADBs.
AI Profile (optional)
Uses the DBMS_CLOUD_AI package to create an AI profile script that can be executed by the Autonomous Database user. It allows the user to choose a Large Language Model (LLM), thus granting the user permission to perform tasks such as generating, running, and explaining SQL. Additionally, enable retrieval augmented generation and natural language-based interactions, including chatting with LLMs.
AuthToken/Swift Credential (optional)
If you’d like to include an AuthToken, though we emphasize the use of OCI Native Credentials, you can add the –all flag to the script to generate the Swift/AuthToken Credential.
example: adb-create-cred.sh –all
Additional Features can be found by using the –help option
example: adb-create-cred.sh –help
If you would like to specify a region, compartment name, compartment OCID, database user name, database name, credential name or specify your AI profile name please consider the example above. It’s worth noting that if you specify a compartment (by name or OCID) it will likely speed up access to your list of accessible Autonomous Databases on very large Tenancies. The –database option requires –region and –compartment (or compartment_ocid) as it is dependent on those values to be recognized.