Secure Access Management with Database Management Service Named Credentials

February 9, 2024 | 5 minute read
Derik Harlow
Senior Product Manager
Text Size 100%:

Access management and security standards can be difficult to navigate when configuring cloud deployments, but the Database Management service (DBM) in OCI is making this task easier with new ways to manage connection credentials from within the monitoring service.  The new Named Credentials feature in DBM provides a more streamlined, secure way to access resources when utilizing the service for performance monitoring, database administration, or resource management. A named credential contains a user's authentication information, namely a  username to connect to a resource and the OCI Vault service secret that contains the associated password, for a resource or group of resources.

The key benefits of configuring and using named credentials:

  • User credentials are secure as they are saved within the named credential and are not exposed to all users. Named credentials allow a DBA with lower privileges to perform database maintenance-related tasks without having to know the database password.
  • Time and effort are saved as the user credentials do not have to be specified each time you perform a task in Database Management.
  • User credentials can be updated within the named credential ensuring ease of maintenance.
  • Named credentials ensure consistency and avoid errors that may result from using different user credentials.
  • Associated credentials reduce the risk of locking a monitoring user's account due to input errors.

Named Credentials feature to create a named credential in Database Management

 

Figure 1:  Navigate to Named Credentials feature and create a named credential in Database Management

 

How can named credentials ease administration tasks in the cloud

When creating named credentials, you have the option of relating a single resource in OCI or a group of resources to minimize efforts in connecting to administer a fleet of databases.

Figure 2: Create a named credential
Figure 1:  Create a named credential

 

Named credentials can also be used to set Preferred Credentials for resources to provide more granularity and control in user access to resources in OCI. For instance, Preferred Credentials can be configured for a group of administrators allowing for read-only access to features in Database Management. Another Preferred Credentials with elevated privileges can be configured for a separate group of administrators to allow management capabilities including storage administration or advanced SQL tuning operations. The following preferred credentials are available to set:

  • Basic monitoring: Minimum privileges to collect metrics and view the database fleet summary and Managed Database details. The Basic monitoring credential is set automatically for the monitoring user when Database Management is enabled.
  • Advanced diagnostics: Advanced privileges to use diagnostic tools such as Performance Hub and AWR Explorer. If the Advanced diagnostics credential is set for a Managed Database, then it can be used to automatically use diagnostic features and for the read operations in the Managed Database.
  • Administration: Management privileges to perform administrative tasks such as creating tablespaces and editing database parameters. If the Administration credential is set for a Managed Database, then it can be used to autofill database credentials to perform the write operations in the Managed Database.
Figure 3:  Configure preferred credential utilizing an existing named credential
Figure 2:  Configure preferred credential utilizing an existing named credential

 

Finally, Session Credentials can be set on the session level in DBM to override Preferred Credentials. This can be useful when needing access to a resource without being granted privileges to use preferred credentials or having a valid named credential.

Figure 4:  Set a session credential for one-time use
Figure 3:  Set a session credential for one-time use

 

Configuring named credentials in the Database Management service

In Database Management, the named credentials section can be accessed from:

  • Administration Named Credentials page. On the Named credentials page, view all the Resource and Global named credentials created in the compartment and perform all the named credential tasks
    1. Open the navigation menu in the Oracle Cloud Infrastructure console and click Observability & Management. Under Database Management, click Administration.
    2. On the left pane, click Named Credentials and select a compartment in the Compartment drop-down list.

 

Figure 5:  View all associated credentials for a database resource in OCI
Figure 4:  View all associated credentials for a database resource in OCICaption

 

  • Credentials section on the Managed database details page: In this section, view the named credentials created for the Managed Database and the Global named credentials in the compartment and perform all the named credential tasks.

 

Figure 6:  View named credentials in Database Management administration page
Figure 5:  View named credentials in the Database Management administration page

 

Simplify the administration of monitoring your databases in OCI by using the new Named Credentials feature in Database Management.  Quickly implement a more secure, streamlined approach in credential management and improve the overall security posture of your cloud estate today.  Database Management provides a full suite of capabilities in OCI to manage your entire fleet of databases, try it out today for free.

Resources:

To learn more about DBM capabilities, visit:

 

Derik Harlow

Senior Product Manager

Derik Harlow works as Senior Product Manager in the Enterprise Cloud Observability Management organization at Oracle Corporation covering the areas of Oracle Cloud Infrastructure Database Management and Operations Insights.


Previous Post

Oracle Cloud Infrastructure Logging Analytics best practices series

Royce Fu | 3 min read

Next Post


Automatically deploy an APM Java agent in Kubernetes Environments using the OpenTelemetry Operator

Mike Mu | 5 min read