In a recent article, I described the use of the OCI SDK for Go(Lang) – in my example to interact with the ObjectStorage service. In the article, I used authentication based on tenancy and user ocid, fingerprint and private key. However, when the Go application is running in an OCI environment – Compute Instance, Function, Container on Kubernetes – it is usually a much better idea to have the application leverage the identity and associated privileges of its runtime environment. On OCI, this is called Instance Principal – the identity assigned to a runtime environment such as a compute instance or function.
I was wondering how exactly to leverage the instance principal in my Go code. It took me a little digging (probably looking in all the wrong places first) and I ended up with a ridiculously simple statement:
configurationProvider, err := auth.InstancePrincipalConfigurationProvider()
where configurationProvider is a common.ConfigurationProvider. Note: a package import is added for “github.com/oracle/oci-go-sdk/v54/common/auth”
The code changes and becomes much simpler. The sections in blue rectangles can be dropped, the line in the red rectangle is all that is required for instance principal based authentication.
What of course is required in order to make the code function correctly is:
- define dynamic group that includes the instance (compute instance, function, OKE node) in which the code will run
- define policies that grant to the dynamic group the required permissions for the code to do its OCI interactions
Example of InstancePrincipal Authentication: https://github.com/oracle/oci-go-sdk/blob/4e29eeb31529a52f73c80e1444f30c75d6c512c3/example/example_instance_principals_test.go#L28
Accessing the Oracle Cloud Infrastructure API Using Instance Principals (blog article) – https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals
OCI Docs – Calling OCI Services from an instance – https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm