I have worked quite a bit in Oracle Cloud, starting back in 2015. I have used many different OCI services – such as Integration, Streaming, Functions, OKE, API Gateway, Object Storage, DBaaS and several more. However, for some reason I have almost complete avoided the almost simplest service of all: Compute. Creating a compute instance, configuring its network options and connecting to it over SSH for some reason seemed daunting and to be avoided if at all possible. This irrational stance on OCI Compute came to an end. Yesterday I needed to verify my implementation in Go that leverages instance principal authentication for accessing OCI APIs. The only way to test this is by running the code on an instance inside OCI (and cloud shell cannot do instance principal authentication) so provisioning a compute instance was the best option.
In this article my quick overview of how I got my instance – and configured the policies and dynamic group to let this instance act as instance principal with required permissions. It is by no means as hard as I thought was.
- prepare network: VCN with Subnet & Internet Gateway (if it does not already exist)
- define ingress and egress rules in security list associated with subnet
- provision compute instance – select compartment and subnet, image and shape
- download private key and note public ip
- connect from SSH client to public ip using private key
- work in a command line terminal against the Linux compute instance (clone git repo, go test go run, vi to edit files)
- work in VS Code directly against the OCI compute instance using Remote SSH
I started with a pre existing compartment and a VCN with (public) subnet. From the home page in the console
I used a “Launch Resource” wizard.
This page appeared – with a number of fairly simple questions to answer:
Name for the instance, target compartment and availability domain in the region, image and shape and the networking options (VCN and subnet as well as whether or not to assign a public IP).
I have clicked to edit the image
and selected the Oracle Linux Cloud Developer image – see this page for details on this image. This image contains many relevant tools – including git, OCI CLI, Terraform, Ansible and VS Code – and language runtimes – including Python, Java, Node, GraalVM and Go.
Next, I decided to switch from AMD to Ampere in terms of the shape of the VM.
I had to tune the memory to 8 GB (the minimum size recommended for the Cloud Developer image:
Next, I downloaded the Private Key of the Key Pair automatically generated for this instance. Note: I could also have uploaded the public key for a key pair I had generated myself.
I do not need a special boot volume.
Click on create to start provisioning of the VM. The next page is shown with all instance details. It does not exist yet, but it soon will.
A little later, the instance is ready. And it has been assigned a public key:
I need that public IP address, together with the private key I have downloaded to open an SSH session to the instance and make it do stuff.
I opened an Ubuntu session on my WSL2 environment and made the downloaded private key file available. I changed the accessibility of the file
chmod 400 <private key file>
Then I tried to initiate the SSH session:
ssh –i <private key file> opc@<public ip address of instance>
This was not successful: connection timed out.
I despaired, then realized that there might be an ingress rule missing for the subnet, for traffic on port 22. I have added that ingress rule to the subnet’s security list, and low and behold: I could connect.
With the SSH session up and running, I created three files in the VM – in a very awkward way: open vi for the file I wanted to create, paste the content from the file on my laptop and save the file. I later learned that I can work in VS Code directly against the VM – see below.
After creating three files in this fashion – go.mod, go.sum and main.go – I tried to compile and run the Go application:
This failed because of a missing egress rule: the Go compiler tried to download the imported Go packages (HTTPS, port 443) and failed to do so. I had to add another rule to the security list, for outbound traffic to port 443:
With this rule in place, I could get my Go application to compile and run:
Instance Principal Authentication
The next issue: the application needs to somehow have permissions to invoke OCI APIs for ObjectStorage to learn about namespace and buckets and objects. The application has been configured to use Instance Principal Authentication. The Compute Instance is the Principal and this principal needs to be granted permissions.
The Compute Instance becomes a Principal by being a member of a Dynamic Group. I need the OCID of the compute instance
so I can create the rule that makes the instance a member of a new Dynamic Group.
The next step is to create policies that grant permissions on Object Storage features to this dynamic group:
When I now run the Go application again, instead of the warning I saw before, I get the output I expect. Thanks to the Dynamic Group and its policies, the instance has now permissions to act through Object Storage and this application leverages the instance principal and can therefore lookup buckets and create objects.
VS Code against OCI Instance
Something I was not aware of at first – and that is quite useful: using the VS Code Remote SSH extension, I can work in my local VS Code IDE directly against the file system of the Compute Instance as well as open terminal sessions in the same way as I can open local terminal sessions.
This article – Development Setup on OCI https://blogs.oracle.com/pcoe/post/development-setup-on-oci – describes in detail how to set this up. I believe even more is possible: VS Code is named as one of the tools installed in the Cloud Developer image. But I do not know how to leverage it and I have not been able to dig information up on the internet regarding this.
Here are the steps I took myself:
Install Remote SSH Extension in VS Code
Click on the SSH FS icon
Create a new configuration
And provide details for the Compute Instance – Public IP address, username (opc on Oracle Linux images) and private key file:
With this in place, I can open terminal windows and also explore the file system of the remote OCI Compute Instance from my local VS Code environment:
This makes editing files so much easier than using vi…
OCI Tutorial – Launching Your First Linux Instance – https://docs.oracle.com/en-us/iaas/Content/GSG/Reference/overviewworkflow.htm#Tutorial__Launching_Your_First_Linux_Instance
OCI Docs – Compute – Creating an Instance – https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/launchinginstance.htm
OCI Docs – Connecting to an instance – https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/accessinginstance.htm
OCI Docs – Oracle Linux Cloud Developer images – https://docs.oracle.com/en-us/iaas/oracle-linux/developer/index.htm
Oracle Blogs – Fast track Oracle Linux 8 development using the Oracle Linux Cloud Developer image – https://blogs.oracle.com/cloud-infrastructure/post/fast-track-oracle-linux-8-development-using-the-oracle-linux-cloud-developer-image – introducing the image and its constituents. Also describing the process of provisioning.
Oracle Blogs – Development Setup on OCI https://blogs.oracle.com/pcoe/post/development-setup-on-oci – Using VS Code against image (using remote ssh)