OCI Resource Access Management with Customer Secret Keys

Question

Pulumi · Accepted Answer

To manage resource access within Oracle Cloud Infrastructure (OCI), you can use customer secret keys, which allow for authentication and access to OCI resources. These customer secret keys are essentially used with the OCI APIs to sign the requests. By doing this, the requests are authenticated, and the identity of the requestor can be verified.

When managing resource access, you want to ensure that only authorized users and applications can perform operations on your cloud resources. With Pulumi, you can automate the provisioning and management of these access controls.

Using Pulumi's OCI provider, you can create a `CustomerSecretKey` resource that represents a secret key associated with a user in OCI's Identity and Access Management (IAM) service. A secret key consists of a pair of an Access Key ID and a Secret Access Key. When paired with the corresponding user OCID (Oracle Cloud Identifier), these keys can be used to securely access OCI services.

In the following Pulumi Python program, we'll create a `CustomerSecretKey` for a specified user in OCI. Before running the following program, ensure you have Pulumi CLI installed and configured with your OCI credentials.

```python
import pulumi
import pulumi_oci as oci

# Note: Replace 'oci_user_id' with the OCID of the OCI user for whom you're creating the customer secret key.
oci_user_id = 'ocid1.user.xxxxxx'

# Creating a customer secret key for an OCI user
customer_secret_key = oci.identity.CustomerSecretKey("myCustomerSecretKey",
                                                     user_id=oci_user_id,
                                                     display_name="MyCustomerSecretKeyName")

# Export the details of the customer secret key to access them outside Pulumi
pulumi.export('customer_secret_key_id', customer_secret_key.id)
pulumi.export('customer_secret_key_access_key', customer_secret_key.key_id)
pulumi.export('customer_secret_key_user_id', customer_secret_key.user_id)

```
In this program:

- We import the required Pulumi modules. Here it's `pulumi` itself and `pulumi_oci` which is the Pulumi provider for OCI.

- We define the `oci_user_id` which should be the OCID of the existing OCI user you wish to create a secret key for. Be sure to replace `'ocid1.user.xxxxxx'` with the actual user OCID.

- We create an instance of `oci.identity.CustomerSecretKey`. When instantiated, Pulumi will call the OCI API to create a new customer secret key associated with the specified user. We provide `user_id` which is mandatory and `display_name` which is optional and helps identify the key.

- Finally, we export the customer secret key's `id`, `key_id`, and `user_id`, so they can be accessed easily outside of Pulumi. For example, this can be used in CI/CD pipelines or scripts.

Remember to handle sensitive information such as secret keys securely and in accordance with your organization's security policies. Additionally, keys should be rotated regularly and decommissioned when no longer in use to reduce the risk of unauthorized access.

To run the program, you would save it in a file (e.g., `oci_customer_secret_key.py`), set up your environment with the appropriate OCI configuration, and then run `pulumi up` to deploy the resources with Pulumi. The command will also display the exported output values once the resources have been provisioned.

For complete documentation on managing resources in Oracle Cloud Infrastructure using Pulumi, you can refer to the [Pulumi OCI Documentation](https://www.pulumi.com/registry/packages/oci/).