My Oracle Support Banner

HowTo configure oci-cli with Instance/Resource Principals (Doc ID 2763990.1)

Last updated on APRIL 13, 2023

Applies to:

Oracle Database Cloud Exadata Service - Version N/A to N/A [Release 1.0]
Information in this document applies to any platform.


Oracle Cloud Infrastructure CLI (oci-cli) has 3 ways to authenticate: User + Authentication Token, Instance Principals and Resource Principals. With User Principals, you are placing your private token onto the machine... Hence anyone accessing the machine could potentially use your user (as you left the private key on there) and perform whatever you are allowed to do. Moreover such configuration is not permitted in the tenant that is configured with "federated users". OCI introduced a way that instances (in compute case) can authenticate themselves against the Control Plane and execute things the “instance” is allowed to do. Scope of this article is to show how to configure Resource Principals and how to leverage such configuration with oci-cli.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 The Steps
 1. Setup a Dynamic Group
 2. Add the required policies (permissions)
 3. Execute oci-cli with resource principals
 Use Case examples
 1. OCI-cli running from a dbsystem
 2. OCI-cli running from a dbsystem to controll diferent dbsystem
 3. OCI-cli running from a compute instance on different Compartment

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.