Authentication for OCI Functions by Storing Customer Secret Keys

Question

Pulumi · Accepted Answer

To set up authentication for Oracle Cloud Infrastructure (OCI) Functions using customer secret keys, you need to follow a series of steps that include creating and managing credentials securely within the OCI Identity and Access Management (IAM) service. The credentials normally consist of a User associated with a Customer Secret Key. Functions then can use these keys to authenticate to OCI services that they need to interact with.

Below I will provide a Pulumi program written in Python to create an OCI Function and set it up with a Customer Secret Key for authentication purposes. In this program, we will use the following resources:

- `oci.Identity.User`: This resource creates a new user within OCI. It specifies the details of the user who owns the secret key.
- `oci.Identity.CustomerSecretKey`: The resource to create a customer secret key associated with the user. The secret key credentials are used to authenticate the user when calling OCI APIs.

The program outlines how to set up a user and secret key in OCI, and then demonstrates how to store that key securely.

Before running this Pulumi program, ensure that you have the appropriate OCI provider configuration set up, including required permissions to manage IAM resources.

Here is the Pulumi Python program to achieve this:

```python
import pulumi
import pulumi_oci as oci

# Create a user in OCI's Identity service that will be associated with the function
user = oci.identity.User("functionUser",
    description="User to authenticate the function",
    name="function-user")

# Create a Customer Secret Key for the user, which will be used to authenticate with OCI services
customer_secret_key = oci.identity.CustomerSecretKey("functionUserKey",
    user_id=user.id,
    display_name="function-user-key")

# Output the user and secret key information
pulumi.export("user_id", user.id)
pulumi.export("customer_secret_key_id", customer_secret_key.id)
```

This program initializes a Pulumi stack and programmatically creates new resources in OCI. Here's what each part does:

1. Use the `pulumi_oci` package to interact with OCI.
2. Create a new OCI user with the `oci.identity.User` resource, which can be referenced by other resources or outputs.
3. Generate a `CustomerSecretKey` for the user using `oci.identity.CustomerSecretKey`, providing access to OCI services where necessary.
4. Export the ID of the user and the Customer Secret Key as stack outputs. This allows you to obtain these values easily after the deployment, for auditing or for use in other operations or scripts.

Note: The actual secret key value is not exported for security reasons. You can access the secret key through the OCI console or OCI CLI immediately after creation, and then store it securely, following the best practices for secret management.

After you deploy this stack, the subsequent functions or services that require authentication will use the provided user's credentials for access control.

To run this program, save it to a file, for example, `oci_auth.py`, set up your Pulumi stack and OCI configuration, and then execute the command `pulumi up` to create the resources.