This publication empowers the Cloud Shell user to discover the information necessary to generate OCI Native Credentials. By leveraging the oci tools at your disposal, we aim to light the way to the data you are looking for. Inspired by “Autonomous Database Now Supports Accessing the Object Storage with OCI Native Authentication” by Can Tuzla, this post builds upon his foundational insights. It may also provide additional content that would be useful to “Troubleshooting DBMS_CLOUD access to object storage” by Keith Laker. I will guide you through utilizing simple oci commands to retrieve these values, streamlining the process of credential creation.

Please look here “OCI Script to Jumpstart Credential Creation” for an even easier path to Credential Creation.

Why do I need to “easily” generate OCI Native Credentials?

Navigating the complexities of Oracle Cloud Infrastructure credential management is essential for secure and efficient cloud operations. This guide simplifies these processes, enabling users to seamlessly generate OCI Native Credentials. The end goal is to simplify the somewhat complicated process highlighted in “Create Oracle Cloud Infrastructure Native Credentials.”

This is the Information we’re looking for.

To connect Data Studio to Oracle Cloud Infrastructure (OCI) Object Storage Service, you need to set up the cloud storage location using your OCI authentication information, so getting this correct is crucial.

DBMS_CLOUD.CREATE_CREDENTIAL
  ( credential_name IN VARCHAR2,
    user_ocid IN VARCHAR2,
    tenancy_ocid IN VARCHAR2,
    private_key IN VARCHAR2,
    fingerprint IN VARCHAR2 );

Log into your Tenancy, then open the Cloud Shell.

Click here to access the Cloud Shell

Configure OCI Credentials in Cloud Shell.

This piece assumes that you have never ran ‘oci setup config.’ Simply review, then copy and paste these blocks of code in your cloud shell to ease setup. 

If you have already ran through oci setup config properly you can skip this section.

mkdir ~/.oci ; chmod 700 ~/.oci
# Generate your Private Key, change its permissions, then create your Public Key
openssl genrsa -out ~/.oci/oci_api_key.pem 2048
chmod go-rwx ~/.oci/oci_api_key.pem
openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key.pem.pub
chmod go-rwx ~/.oci/oci_api_key.pem.pub
# Using the following will allow you to run oci setup config with ease.
echo -e "\n${OCI_CS_USER_OCID}\n${OCI_TENANCY}\n${OCI_REGION}\nn\n~/.oci/oci_api_key.pem\n" | \
oci setup config

Upload your Public Key Credentials to your Profile.

oci iam user api-key upload --user-id ${OCI_CS_USER_OCID} \
--key-file $( grep '^key_file=' .oci/config | sed -e 's/^key_file=//' -e 's/\.pem/.pem.pub/;' )

Generate a SQL Script you can use to Create your OCI Native Credential.

echo -e "BEGIN\n\tDBMS_CLOUD.CREATE_CREDENTIAL(\n\t\tcredential_name => 'OCI_NATIVE_CRED',\
\n\t\tuser_ocid => '${OCI_CS_USER_OCID}',\n\t\ttenancy_ocid => '${OCI_TENANCY}',\
\n\t\tprivate_key => '$(cat $(awk -F'key_file=' '/key_file=/ {print $2}' ~/.oci/config) |\
tr -d '\n' | sed 's/-----BEGIN PRIVATE KEY-----//;' | sed 's/-----END PRIVATE KEY-----//;')',\
\n\t\tfingerprint => '$(grep '^fingerprint=' .oci/config |\
sed -e 's/^fingerprint=//')');\nEND;\n/\nexit;" | expand -t 2 > oci_native_credential.sql
chmod go-rw ~/oci_native_credential.sql

Resulting File Should Look Similar to this. (sample source)

BEGIN
  DBMS_CLOUD.CREATE_CREDENTIAL(
    credential_name => 'OCI_NATIVE_CRED',
    user_ocid => 'ocid1.user.oc1..aaaaaaaatfn77fe3fxux3o5lego7glqjejrzjsqsrs64f4jsjrhbsk5qzndq',
    tenancy_ocid => 'ocid1.tenancy.oc1..aaaaaaaapwkfqz3upqklvmelbm3j77nn3y7uqmlsod75rea5zmtmbl574ve6a'
    private_key =>  'MIIEogIBAAKCAQEAsbNPOYEkxM5h0DF+qXmie6ddo95BhlSMSIxRRSO1JEMPeSta0C7WEg7g8SOSzh
IroCkgOqDzkcyXnk4BlOdn5Wm/BYpdAtTXk0sln2DH/GCH7l9P8xC9cvFtacXkQPMAXIBDv/zwG1kZQ7Hvl7Vet2UwwuhCsesFgZZrAHkv
4cqqE3uF5p/qHfzZHoevdq4EAV6dZK4Iv9upACgQH5zf9IvGt2PgQnuEFrOm0ctzW0v9JVRjKnaAYgAbqa23j8tKapgPuREkfSZv2UMgF7
Z7ojYMJEuzGseNULsXn6N8qcvr4fhuKtOD4t6vbIonMPIm7Z/a6tPaISUFv5ASYzYEUwIDAQABAoIBACaHnIv5ZoGNxkOgF7ijeQmatoEL
deWse2ZXll+JaINeTwKU1fIB1cTAmSFv9yrbYb4ubKCJuYZJeC6I92rT6gEiNpr670Pn5n43cwblszcTryWOYQVxAcLkejbPA7jZd6CW5x
m/vEgRv5qgADVCzDCzrij0t1Fghicc+EJ4BFvOetnzEuSidnFoO7K3tHGbPgA+DPN5qrO/8NmrBebqezGkOuOVkOA64mp467DQUhpAvsy2
3RjBQ9iTuRktDB4g9cOdOVFouTZTnevN6JmDxufu9Lov2yvVMkUC2YKd+RrTAE8cvRrn1A7XKkH+323hNC59726jT57JvZ+ricRixSECgY
EA508e/alxHUIAU9J/uq98nJY/6+GpI9OCZDkEdBexNpKeDq2dfAo9pEjFKYjH8ERj9quA7vhHEwFL33wk2D24XdZl6vq0tZADNSzOtTrt
SqHykvzcnc7nXv2fBWAPIN59s9/oEKIOdkMis9fps1mFPFiN8ro4ydUWuR7B2nM2FWkCgYEAxKs/zOIbrzVLhEVgSH2NJVjQs24S8W+99u
LQK2Y06R59L0Sa90QHNCDjB1MaKLanAahP30l0am0SB450kEiUD6BtuNHH8EIxGL4vX/SYeE/AF6tw3DqcOYbLPpN4CxIITF0PLCRoHKxA
RMZLCJBTMGpxdmTNGyQAPWXNSrYEKFsCgYBp0sHr7TxJ1WtO7gvvvd91yCugYBJAyMBr18YY0soJnJRhRL67A/hlk8FYGjLW0oMlVBtduQ
rTQBGVQjedEsepbrAcC+zm7+b3yfMb6MStE2BmLPdF32XtCH1bOTJSqFe8FmEWUv3ozxguTUam/fq9vAndFaNre2i08sRfi7wfmQKBgBrz
cNHN5odTIV8l9rTYZ8BHdIoyOmxVqM2tdWONJREROYyBtU7PRsFxBEubqskLhsVmYFO0CD0RZ1gbwIOJPqkJjh+2t9SH7Zx7a5iV7QZJS5
WeFLMUEv+YbYAjnXK+dOnPQtkhOblQwCEY3Hsblj7Xz7o=',
    fingerprint => '4f:0c:d6:b7:f2:43:3c:08:df:62:e3:b2:27:2e:3c:7a'
  );
END;
/

Now Confirm that your Credential works with your Private Bucket.

SELECT object_name, bytes, created
FROM DBMS_CLOUD.LIST_OBJECTS('OCI_NATIVE_CRED', 
  'https://objectstorage.my-region.oraclecloud.com/n/foo/b/my-bucket/o/');

OBJECT_NAME         BYTES CREATED                             
---------------- -------- --------------------------------------
sample001.csv        1340 20-FEB-24 06.33.41.271000000 PM GMT