Obtain OCI credentials

Obtain API credentials for an OCI account

Oracle Cloud Infrastructure (OCI) does not have a partner or reseller account system.

Each enterprise in the cloud platform will have its own OCI account.

The root admin user of your account will have full access to the OCI portal and cloud.

To work in the cloud platform, create a user with an API signing key. See https://docs.oracle.com/en-us/iaas/Content/General/Concepts/credentials.htm#Security_Credentials

Abiquo supports Federated and IAM users in OCI. You should decide which type of user best suits your business needs.

You can restrict the API credentials to a set of OCI compartments.
OCI compartments are like Azure resource groups and which are also represented as Abiquo resource groups)

In Abiquo, you can use the same OCI credentials for compute and for pricing and billing.

The credentials you will need to enter in Abiquo are the OCI user, fingerprint, tenancy and private key.

Create a new user in OCI

To create a federated user or a local user to access OCI through Abiquo, do these steps.

1. Log in to the OCI console and create a user following Oracle instructions for federated or local users

   1. Federated users (IDCS): https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/addingusers.htm#Add

   2. Local users (IAM): https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingusers.htm#Managing_Users

2. Assign your user to a group and allow access and/or assign an access policy to your user

   1. For a Cloud Admin, assign the user to the Administrators group

3. Go to Infrastructure Regions and subscribe the user to any other required regions in addition to the home region.

Restrict an OCI user

One way to restrict an OCI user is to allow them to work with resources in one or more OCI Compartments only.

For information about OCI compartments and their use cases, see https://docs.oracle.com/en-us/iaas/Content/GSG/Concepts/settinguptenancy.htm#four

For more details about how to manage compartments, see https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm.

For a quick description of the policy for restricting user compartments, see https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/commonpolicies.htm#compartment-admin-manage-compartment.
(You can add the policy in Identity → Policies).

OCI billing dashboard

To enable an OCI user to use the billing dashboard, assign the OCI user a policy with access to cost and usage data.

1. Go to https://docs.oracle.com/en-us/iaas/Content/Billing/Tasks/accessingusagereports.htm#Accessing_Cost_and_Usage_Reports and get the required policy from the “Required IAM Policy” section.
   (We got this one on 2022-07-28, please check for updates!).
   To use cost and usage reports, the following policy statement is required:
   define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq

   endorse group <group> to read objects in tenancy usage-report

2. Replace “<group>” with the OCI user’s group

3. In OCI, go to Identity → Policies and add the policy

Obtain an API key

To obtain Oracle API key credentials, you will need an API signing key.

• To generate your own key, see Oracle info on generating an API signing key.

To obtain Oracle credentials, do these steps in the Oracle console. 

1. For local users

   1. Go to the options menu in the top left of the screen → Identity & Security → Users

   2. Select the user and go to API keys 

2. For federated users

   1. Follow the instructions in the Oracle documentation to add an API key. See https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/addingidcsusersandgroups.htm
      In the section "To add API keys, auth tokens, or other Oracle Cloud Infrastructure Credentials''

3. Click Add API key

4. You can let Oracle generate an API signing key or upload your own public key and fingerprint. 

5. If you generate an API signing key, click Download Private Key

   1. The private key will save as a .pem file

   2. Change the permissions of the file so only you can access it

   3. Keep this file to enter as the secret key

6. Select View Configuration file.
   From the Configuration File Preview you will need to prepare the following to enter them in Abiquo.

   1. User with the format ocid1.user.oc1..aaaaaaaa7tnw...verylongstring2...

   2. Fingerprint with the format ab:ab:ab:bc:bc:bc:...

   3. Tenancy with the format ocid1.tenancy.oc1..aaaaaaaaeuu5...verylongstring1...

This is described towards the end of the second section of the official Oracle documentation on "Configuring and Connecting to Oracle Cloud with Oracle Developer Tools for VS Code".

In OCI check that the user has permissions to access the public cloud regions to add to Abiquo.

Add credentials in Abiquo

To add the credentials in Abiquo do these steps.

1. Create at least one OCI public cloud region

2. Edit the tenant enterprise and go to Credentials → Public

3. Enter the credentials in the following format:

   1. Access key ID:  tenancy#user#fingerprint
      Enter the tenancy user and fingerprint, with “#” characters in between them. For example:
      ocid1.tenancy.oc1..aaaaaaaaeuu5...verylongstring1...#ocid1.user.oc1..aaaaaaaa7tnw...verylongstring2...#ab:ab:ab:bc:bc:bc:...

   2. Secret access key: Private key in PEM format
      -----BEGIN PRIVATE KEY-----

      BLasdKKTSDksdfkiG9w0BAQaassCBKgwggaaaIBAQbCCSDDD1ZUVdsSQErS

      ....

      -----END PRIVATE KEY-----

4. To use the same credentials for billing dashboards, mark the checkbox to Also use for pricing if required