Three Ways to Authenticate OCI CLI in Oracle Cloud (2023)

Three Ways to Authenticate OCI CLI in Oracle Cloud (1)


Oracle Cloud provides automated resource provisioning and management by the click of the button, literally. You just login into the OCI Console, which is a web-based interface, and click on the button to provision and manage your resources.

However, managing large environments that way might become challenging. Additionally, you might want to execute some tasks at a specific time automatically without the need to wake up in the middle of the night to click the button. For this purpose, Oracle provides additional interfaces to interact with OCI resources programmatically, via Rest APIs, SDKs, and the Oracle Cloud Infrastructure Command Line Interface (OCI CLI), or short CLI. The latter is my favorite one as it is extremely simple to use and integrate with your shell scripts to achieve even a much higher degree of automation.

From the security perspective, CLI is just “someone” who wants to access OCI resources and hence has to authenticate itself against the Cloud Control Plane. In this blog post, we will see 3 ways (actually four) how to achieve that, what advantages do they have, and what to consider.

The Environment

  • Compute VM1 in OCI to emulate a server that is not running in OCI.
  • Compute VM2 in OCI to be used as is, having an Oracle Cloud Identifier (OCID).
  • VM DB System in OCI, which also has an OCID.

OCI CLI Installation

OCI CLI is available for Linux, Mac OS, and windows. Follow the steps on the Quickstart page for installation. In my case on Linux:

# On the Compute VMs, the yum repository and pytho3 are already installed.[opc@vm1 ~]$ bash -c "$(curl -L"===> In what directory would you like to place the install? (leave blank to use '/home/opc/lib/oracle-cli'):===> In what directory would you like to place the 'oci' executable? (leave blank to use '/home/opc/bin'):===> In what directory would you like to place the OCI scripts? (leave blank to use '/home/opc/bin/oci-cli-scripts'):===> Modify profile to update your $PATH and enable shell/tab completion now? (Y/n): Y-- Installation successful.-- Run the CLI with /home/opc/bin/oci --help

To install OCI CLI on a VM DB System, you’ll first need to configure the yum repository and install python3:

[opc@db ~]$ curl -s | grep region[opc@db ~]$ wget -O /tmp/oci_dbaas_ol7repo[opc@db ~]$ wget -O /tmp/versionlock.list[opc@db ~]$ sudo mv /tmp/oci_dbaas_ol7repo /etc/yum.repos.d/ol7.repo[opc@db ~]$ sudo mv /tmp/versionlock.list /etc/yum/pluginconf.d/versionlock.list[opc@db ~]$ sudo yum repolist[opc@db ~]$ sudo yum -y install python3 python3-tools

Note: for VM DB Systems it’s highly recommended to follow the manual installation procedure instead of installing OCI CLI via RPM. This ensures that OCI CLI is run in a virtual environment and will not conflict with the RPMs on the database VMs, which could lead to issues while updating the operating system at a later point in time.

At this stage, OCI CLI is installed, but we still need to authenticate ourselves to be able to interact with the OCI resources.

(Video) How To Use OCI CLI to Operate Oracle Cloud Infrastructure Like a Pro | The Cloud Bootcamp

Authentication Method #1: User Principals

Use an OCI user and an API key for authentication. In this case, you’ll need to put your tenancy OCID, user OCID, region name, the path to an API key, and the fingerprint of the API key. The easiest way is to let OCI walk you through the setup process by executing the following command:

[opc@vm1 ~]$ oci setup configEnter a location for your config [/home/opc/.oci/config]:Enter a user OCID: ocid1.user.oc1..Enter a tenancy OCID: ocid1.tenancy.oc1..Enter a region by index or name(e.g. 1: ap-chiyoda-1, 2: ap-chuncheon-1, ...: eu-frankfurt-1Do you want to generate a new API Signing RSA key pair? [Y/n]: YEnter a directory for your keys to be created [/home/opc/.oci]:Enter a name for your key [oci_api_key]:Enter a passphrase for your private key (empty for no passphrase):

Now, a config file and a key pair have been created:

[opc@vm1 ~]$ ls -l /home/opc/.oci/total 12-rw-------. 1 opc opc 302 Oct 1 11:13 config-rw-------. 1 opc opc 1675 Oct 1 11:13 oci_api_key.pem-rw-------. 1 opc opc 451 Oct 1 11:13 oci_api_key_public.pem[opc@vm1 ~]$ cat /home/opc/.oci/config[DEFAULT]user=ocid1.user.oc1..fingerprint=e1:c8:bb:6a:71:c4:d6:28:90:7a:e3:23:0a:ed:d5:8dkey_file=/home/opc/.oci/oci_api_key.pemtenancy=ocid1.tenancy.oc1..region=eu-frankfurt-1

Finally, you have to upload your API Signing public key through the OCI Console.

Get the content of the public key:

[opc@vm1 ~]$ cat /home/opc/.oci/oci_api_key_public.pem-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGvXqNG0gvPbYM4ELD5el7ax47rnqEWKe3cxcpVR5+bDHSyKARKdCWpPGZA9+yg+coxa6aemS1cI2lBOZwRUXFb3MhlGUGRKmZPHkr+bjLquH7dZURy/6rPT36AwblU2OluwHeNkwNRhdP6bJaIXzXXSybq0lQxOEzU+LhAlCrxhvXaSaCyVvF9OeJ34NoWQO/9DzJsuG/rGwFk8yCzXED3mU0vdFWp03SciN0XPOmuc+R23kZpChVlS5BwCPfxXQC/azVaiKRzSTnLT/7WlvS3Py1LH1nr3z3beCqD3F5NJGLRzRrdeVRinA28cRFcb4wK0fDS7DTkqPcPxjp9QnwIDAQAB-----END PUBLIC KEY-----

In the OCI Console, from your OCI user’s detail page, click on API Keys, then Add API Key:

Three Ways to Authenticate OCI CLI in Oracle Cloud (2)

Choose Paste Public Key, put the content of the public key in the text area, and click Add. A new Fingerprint will be displayed on your user’s details page. The Fingerprint must be identical to the one in your config file in the .oci folder.

(Video) OCI CLI install and setup (Oracle Cloud)

Three Ways to Authenticate OCI CLI in Oracle Cloud (3)

Now we are ready to execute our first CLI command:

[opc@vm1 ~]$ oci iam compartment list --compartment-id ocid1.tenancy.oc1..{ "data": [ { "compartment-id": "ocid1.tenancy.oc1..", "defined-tags": {}, "description": "Demo",...


  • You can use this method from any server within OCI or on-premises.


  • The actions allowed to be executed depends on the user’s privileges.
  • Other users on the machine will execute the commands in the name of that user.
  • This configuration is not possible when using federated users.
  • Overhead of managing users and keys.

Authentication Method #2: Instance Principals

Instead of using a user and a key, allow the VM Compute instance in OCI itself to execute CLI commands. For this purpose, we will need the OCID of the Compute instance as part of a Dynamic Group, and a Policy to assign the privileges to the Dynamic Group.

Create a Dynamic Group that contains the OCID of the Compute Instance:

Any { = '' }
Three Ways to Authenticate OCI CLI in Oracle Cloud (4)

Create a Policy with the needed privileges:

allow dynamic-group DG_Instances to manage all-resources in tenancy
(Video) Getting started with the Command Line Interface (CLI) on Oracle Cloud
Three Ways to Authenticate OCI CLI in Oracle Cloud (5)

Now, in your Compute instance, you don’t need any config files or keys anymore.

You can set the Authentication Method once to instance_principal and execute your CLI commands as usual:

[opc@vm2 ~]$ export OCI_CLI_AUTH=instance_principal[opc@vm2 ~]$ oci iam compartment list ...[opc@vm2 ~]$ oci compute instance launch ...[opc@vm2 ~]$ oci db autonomous-database start ...

Another way is to add the –auth instance_principal parameter to every single CLI command:

[opc@vm2 ~]$ oci iam compartment list ... --auth instance_principal


  • You don’t need to deal with users and keys.


  • Everyone who has access to this machine can execute the CLI commands.
  • In OCI Auditing, it will be the instance that has executed a command, so you can’t map the actions to a real user.
  • It is applicable for Compute instances only, but not for other OCI resources, e.g. database machines.

Authentication Method #3: Resource Principals

Resource Principals does not only allow Compute instances, but also other OCI resources like VM DB Systems and Exadata VM Clusters to authenticate against the Cloud Control Plane.

In this case, we will use instead of in the Dynamic Group. The OCID to be used is the one of the Compute instance, the DB System, or the Exadata VM Cluster:

(Video) Access Oracle Cloud Infrastructure Using Your Federated Oracle Identity Cloud Service Instance

Any { = '' }
Three Ways to Authenticate OCI CLI in Oracle Cloud (6)

Set the environment variables as below and execute your CLI commands from a Compute instance, VM DB System, or Exadata Cloud Service machines:

[opc@db ~]$ export OCI_CLI_AUTH=resource_principal #or add --auth resource_principal to each command[opc@db ~]$ export OCI_RESOURCE_PRINCIPAL_VERSION=1.1[opc@db ~]$ export OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT="" #replace with your region's endpoint[opc@db ~]$ oci iam compartment list ...[opc@db ~]$ oci compute instance launch ...[opc@db ~]$ oci db autonomous-database start ...


  • You don’t need to deal with users and keys.
  • Applies to Compute instances as well as other OCI resources.


  • Everyone who has access to this machine can execute the CLI commands.
  • In OCI Auditing, it will be the resource that has executed a command, so you can’t map the actions to a real user.

Cloud Shell

Do you just want to get started immediately, without installing or configuring anything at all?

Then use Cloud Shell!

Just click on the Cloud Shell icon on the upper right side of the Cloud Console!

Three Ways to Authenticate OCI CLI in Oracle Cloud (7)
Three Ways to Authenticate OCI CLI in Oracle Cloud (8)


(Video) How to Federate IDCS OCI Identity Domain with Azure AD & Google IdP

  • Pre-installed and pre-authenticated CLI. Just log in and start typing.
  • Each user uses its own Cloud Shell and only the privileges assigned to that user apply.
  • All actions are audited and mapped to that user.


  • It is not possible to schedule jobs like you’d do on your machine using crontab. The session has a maximum length of 24 hours anyway.


OCI CLI provides an easy way to benefit even more from Cloud automation by managing your OCI resources via a simple command-line tool. Authentication can be done by using a user and a key, Instance Principals, or Resource Principals.

Further Reading

  • Command Line Interfaces (CLIs) in the OracleCloud
  • Automate Patching and Upgrade your Cloud Databases using OCICLI
  • How to use Customer-Managed TDE Encryption Keys in Oracle Exadata CloudService
  • CLI Command Reference
  • Calling Services from an Instance
  • How To configure oci-cli with Instance/Resource Principals(Doc ID 2763990.1)


Which three of the following are authentication methods of the OCI CLI? ›

The OCI SDK and CLI supports the following authentication methods: API key-based authentication. Session token-based authentication. Instance principal.

How do I access my OCI command line? ›

Steps to Install OCI Command Line Interface (CLI)
  1. Open the navigation menu. Under Administration, go to Identity and click Users.
  2. Select User (eg: K21AcademyUser).
  3. Go to API Keys under the Resources, and click Add Public Keys.
  4. Paste your complete Public Keys and Click ADD.
  5. Check your FingerPrint.
11 Jan 2020

What is the Oracle cloud infrastructure command line interface used for? ›

The CLI is a small-footprint tool that you can use on its own or with the Console to complete Oracle Cloud Infrastructure tasks. The CLI provides the same core functionality as the Console, plus additional commands. Some of these, such as the ability to run scripts, extend Console functionality.

What is auth token in OCI? ›

An AuthToken is an Oracle-generated token string that you can use to authenticate with third-party APIs that do not support Oracle Cloud Infrastructure's signature-based authentication. For example, use an AuthToken to authenticate with a Swift client with the Object Storage Service.

What are the three 3 main types of authentication techniques? ›

There are three basic types of authentication. The first is knowledge-based — something like a password or PIN code that only the identified user would know. The second is property-based, meaning the user possesses an access card, key, key fob or authorized device unique to them. The third is biologically based.

What are the 3 methods of authentication? ›

The three authentication factors are: Knowledge Factor – something you know, e.g., password. Possession Factor – something you have, e.g., mobile phone. Inherence Factor – something you are, e.g., fingerprint.

How do I access a command line? ›

Use the correct method for your computer's operating system to open the CLI:
  1. Microsoft Windows® — Open the Command Prompt program. To do this, click Start and enter Command Prompt in the Search text box. ...
  2. macOS® — Open the Terminal program. ...
  3. Ubuntu® — Open the Terminal program.
25 Jun 2021

How do I access the command line interface? ›

Open the command-line interface
  1. Go to the Start menu or screen, and enter "Command Prompt" in the search field.
  2. Go to Start menu → Windows System → Command Prompt.
  3. Go to Start menu → All Programs → Accessories → Command Prompt.

How do I connect to command line? ›

To connect to the CLI using SSH

In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH administrative access. In Port, type 22 . From Connection type, select SSH. Click Open.

What are two 3 common methods to access the CLI? ›

Generally, you can access the CLI through a direct connection to the console port, or remotely using Telnet or SSH command. The simplest way to enter the CLI interface is to build a direct serial connection to the switch's console port, which is demonstrated below.

What are the 3 major structures of Oracle Server? ›

There are three major structures in Oracle Database server architecture: memory structures, process structures, and storage structures. A basic Oracle database system consists of an Oracle database and a database instance. The database consists of both physical structures and logical structures.

How many types of Access Tokens are there? ›

Methods to get access tokens from the authorization server are called grants. The same method used to request a token is also used by the resource server to validate a token. The four basic grant types are Authorization Code, Implicit, Resource Owner Credentials and Client Credentials.

What are authentication tokens examples? ›

These are three common types of authentication tokens: Connected: Keys, discs, drives, and other physical items plug into the system for access. If you've ever used a USB device or smartcard to log into a system, you've used a connected token.

What is the difference between Authn and Authz? ›

Both are an important part of identity and access management (IAM). How are authn and authz different? To put it simply, authn has to do with identity, or who someone is, while authz has to do with permissions, or what someone is allowed to do.

Is there 3 factor authentication? ›

Three-factor authentication (3FA) is the use of identity-confirming credentials from three separate categories of authentication factors – typically, the knowledge, possession and inherence categories. Multifactor authentication dramatically improves security.

What is an example of 3 factor authentication? ›

3FA provides the highest possible level of user security for accessing accounts and making transactions. Biometric authentication may include a fingerprint, a retina scan, or a scan of the person's entire face. This makes it almost impossible for hackers to bypass.

What are the 4 authentication techniques? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What are the 3 ways of 2 factor authentication? ›

Understanding Two-Factor Authentication (2FA)
  • Something you know (your password)
  • Something you have (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)
  • Something you are (biometrics using your fingerprint, face, or retina)

What are different types of authentication? ›

What are the types of authentication?
  • Single-Factor/Primary Authentication. ...
  • Two-Factor Authentication (2FA) ...
  • Single Sign-On (SSO) ...
  • Multi-Factor Authentication (MFA) ...
  • Password Authentication Protocol (PAP) ...
  • Challenge Handshake Authentication Protocol (CHAP) ...
  • Extensible Authentication Protocol (EAP)
30 Sept 2020

Which are the most common methods to access the CLI? ›

You can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.

How do you list all available CLI commands? ›

List of CLI commands
  1. ls - List directory contents. ls -a - List all the content, including hidden files. ls -l - List the content and its information.
  2. cd foldername – Change the working directory to foldername. cd - Return to $HOME directory. ...
  3. cat file – Print contents of file on the screen. less file - View and paginate file.

Where is the CLI? ›

On these computers, users can access a Unix-like command-line interface by running the terminal emulator program called Terminal, which is found in the Utilities sub-folder of the Applications folder, or by remotely logging into the machine using ssh.

Which CLI command is used to interface? ›

Bash is the most commonly used command-line shell for Unix-based OSes including Linux. The software that handles the command-line interface is commonly referred to as a command language interpreter, a command processor or command interpreter.

What does CLI stand for? ›

Abbreviated as CLI, a Command Line Interface connects a user to a computer program or operating system. Through the CLI, users interact with a system or application by typing in text (commands). The command is typed on a specific line following a visual prompt from the computer.

What are types of command line interface? ›

The Command Line in Different Operating Systems
  • Windows: Command Prompt.
  • Linux: Linux Bash Shell.
  • MacOs: Mac Terminal.
  • Google Cloud Platform: PowerShell, Cloud shell.
  • Amazon Web Services: AWS Command Prompt.
  • Microsoft Azure: Azure CLI bash.
27 Sept 2022

What are basic command lines? ›

Basic built-in terminal commands
  • Move around your directory structure: cd.
  • Create directories: mkdir.
  • Create files (and modify their metadata): touch.
  • Copy files: cp.
  • Move files: mv.
  • Delete files or directories: rm.
9 Nov 2022

What is the shortcut key for command line? ›

For a regular command prompt window, press ⊞ Win + X . A context menu should pop up—once you see it, press C . For an administrator command prompt window, press ⊞ Win + X .

What are the three types of command interface? ›

User interfaces may be of three types- command line interface, graphic user interface and menu-driven interface.

How many CLI commands are there? ›

The Command Prompt in Windows provides access to over 280 commands. These commands are used to do certain operating system tasks from a command-line interpreter instead of the graphical Windows interface we use most of the time.

What are the three reasons why one might choose to use CLI over GUI in a Linux server? ›

It requires less memory as compared to GUI. It generally uses a mouse to execute commands. The speed of GUI is Slower than CLI. Because the keyboard is used to execute the commands, the speed of the CLI is Faster than GUI.

What are the 3 types of database schema? ›

Schema is of three types: Logical Schema, Physical Schema and view Schema. Logical Schema – It describes the database designed at logical level. Physical Schema – It describes the database designed at physical level. View Schema – It defines the design of the database at the view level.

What are the 3 different levels in a database? ›

The ANSI-SPARC database architecture is the basis of most of the modern databases. The three levels present in this architecture are Physical level, Conceptual level and External level.

What are the 3 database components? ›

The five major components of a database are hardware, software, data, procedure, and database access language.

What are the main features of CLI? ›

  • CLI Features. Asset Discovery, Management, and Grouping. Operating System Provisioning and Patching. ...
  • Starting the CLI. Invoking the Command Line Interface. Connecting From the Enterprise Controller. ...
  • General Commands. Checking Connectivity. ...
  • Universal Output Filters.
  • Command Scripts.
  • Mode Commands. Certificates.

What is CLI explain with example? ›

CLI is a command line program that accepts text input to execute operating system functions. In the 1960s, using only computer terminals, this was the only way to interact with computers. In the 1970s an 1980s, command line input was commonly used by Unix systems and PC systems like MS-DOS and Apple DOS.

Is cloud shell same as CLI? ›

CLI requires local download whereas Cloud shell can run directly.

What are the three types of tokens? ›

There are currently three main types of tokens: utility, commodity and security. Each has its own regulations, levels of scrutiny, complexities and many examples that are already being applied today.

What are the 4 types of tokens? ›

There are four main types: payment tokens, utility tokens, security tokens, non-fungible tokens.

What is a 3 legged token? ›

Three-legged OAuth processing involves four parties: resource owner, OAuth client, authorization server, and resource server. In other words, three-legged OAuth is a traditional pattern with resource owner interaction. In this case, a resource owner wants to give a client access to a server without sharing credentials.

What token is used to authenticate? ›

An authentication token (security token) is a “trusted device” used to access an electronically restricted resource (usually an application or a corporate network). It can be seen as an electronic key that enables a user to authenticate and prove his identity by storing some sort of personal information.

What is ID token and access token? ›

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

What is example authentication? ›

In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

What is OAuth vs Basic Auth? ›

Unlike Basic Auth, where you have to share your password with people who need to access your user account, OAuth doesn't share password data. Instead, OAuth uses authorization tokens to verify an identity between consumers and service providers.

What is the difference between auth1 and auth2? ›

OAuth 2.0 is a complete rewrite of OAuth 1.0 from the ground up, sharing only overall goals and general user experience. OAuth 2.0 is not backwards compatible with OAuth 1.0 or 1.1, and should be thought of as a completely new protocol.

Is OAuth 2.0 authentication or authorization? ›

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data. OAuth 2.0 uses Access Tokens.

What are the three most common ways to access the CLI? ›

You can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.

What are the three authentication methods available for MFA? ›

Three Main Types of MFA Authentication Methods

Things you know (knowledge), such as a password or PIN. Things you have (possession), such as a badge or smartphone. Things you are (inherence), such as a biometric like fingerprints or voice recognition.

How many types of CLI are there? ›

Two Types of CLI

A program that implements such a text interface is often referred to as a command line interpreter, command processor, or shell. By the way, shell is just another word for the operating system user interface.

What are the basic CLI commands? ›

List of basic CLI commands
  • ls -a - List all the content, including hidden files.
  • ls -l - List the content and its information.
  • cd - Return to $Home directory.
  • cd .. - ...
  • cd - - Return to the previous directory.
  • cp -r source destination – Copy a folder recursively from source to destination.

What method can be used to interact with a CLI? ›

Through the CLI, users interact with a system or application by typing in text (commands). The command is typed on a specific line following a visual prompt from the computer. The system responds to the text, and the user may then type on the next command line that appears.

What is Type 4 authentication? ›

Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors. Four-factor authentication is a newer security paradigm than two-factor or three-factor authentication.

What is the most common methods of authentication? ›

Common biometric authentication methods include fingerprint identification, voice recognition, retinal and iris scans, and face scanning and recognition.

What is 2 way authentication method? ›

Two-factor authentication methods rely on a user providing a password as the first factor and a second, different factor -- usually either a security token or a biometric factor, such as a fingerprint or facial scan.


1. Oracle Cloud Infrastructure - Scripting with OCI CLI for DBAs by Robert Marz
2. how to install Oracle cloud CLI | ORACLE CLI IN EASY STEPS | steps to install CLI IN OCI
(Roka Duet Tech)
3. Getting started with OCI Identity and Access Management | CloudWorld 2022
4. OCI Automation overview (CLI/SDK/API) & examples by Richard Garsthagen
5. Using OCI CLI and Rest APIs with OCI GoldenGate
(Oracle Learning)
6. IAM - Level 200 - Part 3 - Identity Federation
(DAC - Data Analytics Cloud)
Top Articles
Latest Posts
Article information

Author: Rueben Jacobs

Last Updated: 02/14/2023

Views: 5858

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.