Oracle Cloud Go SDK and Instance Principal based Authentication

Lucas Jellema January 8, 2022
0 0
Read Time:1 Minute, 32 Second

In a recent article, I described the use of the OCI SDK for Go(Lang) – in my example to interact with the ObjectStorage service. In the article, I used authentication based on tenancy and user ocid, fingerprint and private key. However, when the Go application is running in an OCI environment – Compute Instance, Function, Container on Kubernetes – it is usually a much better idea to have the application leverage the identity and associated privileges of its runtime environment. On OCI, this is called Instance Principal – the identity assigned to a runtime environment such as a compute instance or function.

I was wondering how exactly to leverage the instance principal in my Go code. It took me a little digging (probably looking in all the wrong places first) and I ended up with a ridiculously simple statement:

configurationProvider, err := auth.InstancePrincipalConfigurationProvider()

where configurationProvider is a common.ConfigurationProvider. Note: a package import is added for “github.com/oracle/oci-go-sdk/v54/common/auth”

The code changes and becomes much simpler. The sections in blue rectangles can be dropped, the line in the red rectangle is all that is required for instance principal based authentication.

image

What of course is required in order to make the code function correctly is:

  • define dynamic group that includes the instance (compute instance, function, OKE node) in which the code will run
  • define policies that grant to the dynamic group the required permissions for the code to do its OCI interactions

Resources

Example of InstancePrincipal Authentication: https://github.com/oracle/oci-go-sdk/blob/4e29eeb31529a52f73c80e1444f30c75d6c512c3/example/example_instance_principals_test.go#L28 

Accessing the Oracle Cloud Infrastructure API Using Instance Principals (blog article) – https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals

OCI Docs – Calling OCI Services from an instance – https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

About Post Author

Lucas Jellema

Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director and Oracle Developer Champion. Solution architect and developer on diverse areas including SQL, JavaScript, Kubernetes & Docker, Machine Learning, Java, SOA and microservices, events in various shapes and forms and many other things. Author of the Oracle Press book Oracle SOA Suite 12c Handbook. Frequent presenter on user groups and community events and conferences such as JavaOne, Oracle Code, CodeOne, NLJUG JFall and Oracle OpenWorld.
lucas.jellema@amis.nl
https://www.amis.nl/
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Related posts:

Loading Data into Always Free Oracle Autonomous Data Warehouse Cloud – from JSON and CSV to Database Table First code and cli free steps with Oracle Database 21c in Oracle Cloud Cleaning Out a Compartment on Oracle Cloud using Terraform provider Simple queries against Oracle Cloud NoSQL Database How to open IDCS Console from OCI– Finding the entry to Identity Cloud Service

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%
(Add your review)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Next Post

Quick Start Compute Instance on OCI (for software development)

Sun Jan 9 , 2022
I have worked quite a bit in Oracle Cloud, starting back in 2015. I have used many different OCI services – such as Integration, Streaming, Functions, OKE, API Gateway, Object Storage, DBaaS and several more. However, for some reason I have almost complete avoided the almost simplest service of all: […]

You May Like

%d bloggers like this: