Oracle Cloud Go SDK and Instance Principal based Authentication image 25

Oracle Cloud Go SDK and Instance Principal based Authentication

January 8, 2022 Oracle Cloud No Comments

In a recent article, I described the use of the OCI SDK for Go(Lang) – in my example to interact with the ObjectStorage service. In the article, I used authentication based on tenancy and user ocid, fingerprint and private key. However, when the Go application is running in an OCI environment – Compute Instance, Function, Container on Kubernetes – it is usually a much better idea to have the application leverage the identity and associated privileges of its runtime environment. On OCI, this is called Instance Principal – the identity assigned to a runtime environment such as a compute instance or function.

I was wondering how exactly to leverage the instance principal in my Go code. It took me a little digging (probably looking in all the wrong places first) and I ended up with a ridiculously simple statement:

configurationProvider, err := auth.InstancePrincipalConfigurationProvider()

where configurationProvider is a common.ConfigurationProvider. Note: a package import is added for “github.com/oracle/oci-go-sdk/v54/common/auth”

The code changes and becomes much simpler. The sections in blue rectangles can be dropped, the line in the red rectangle is all that is required for instance principal based authentication.

image

What of course is required in order to make the code function correctly is:

  • define dynamic group that includes the instance (compute instance, function, OKE node) in which the code will run
  • define policies that grant to the dynamic group the required permissions for the code to do its OCI interactions

Resources

Example of InstancePrincipal Authentication: https://github.com/oracle/oci-go-sdk/blob/4e29eeb31529a52f73c80e1444f30c75d6c512c3/example/example_instance_principals_test.go#L28 

Accessing the Oracle Cloud Infrastructure API Using Instance Principals (blog article) – https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals

OCI Docs – Calling OCI Services from an instance – https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

Related Posts

Tags:, , , ,

About The Author

Lucas Jellema

Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director and Oracle Developer Champion. Solution architect and developer on diverse areas including SQL, JavaScript, Kubernetes & Docker, Machine Learning, Java, SOA and microservices, events in various shapes and forms and many other things. Author of the Oracle Press book Oracle SOA Suite 12c Handbook. Frequent presenter on user groups and community events and conferences such as JavaOne, Oracle Code, CodeOne, NLJUG JFall and Oracle OpenWorld.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.