Authenticating AI Application Users with OCI Identity API Keys

Question

Pulumi · Accepted Answer

To authenticate application users using API keys with Oracle Cloud Infrastructure (OCI), we first need to understand the concept. API keys in OCI are used as a way to allow scripts and command-line interfaces to authenticate with OCI services without using a username and password.

In this scenario, we assume you want to provide your AI application the ability to authenticate as a user through the OCI Identity service using API keys. This requires creating a user in OCI, generating an API key for that user, and uploading the public part of the API key to OCI.

The main resource we will be using is `oci.Identity.ApiKey`, which allows us to create an API key for a specific OCI user. Here's how you might set up these resources using Pulumi's Python SDK.

Here's the basic program structure to achieve this:

1. Create an OCI user using `oci.Identity.User`.
2. Generate an API key pair locally - Note that this step typically occurs outside of Pulumi. You must generate an API key pair on your local system or wherever you are running your Pulumi application. Usually, this involves using `openssl` or another cryptography tool.
3. Upload the public API key to OCI using the `oci.Identity.ApiKey` resource.

Below is the detailed python program using Pulumi:

```python
import pulumi
import pulumi_oci as oci

# Step 1: Create an OCI User
# This user represents the identity to which the API Key will be associated.
# Modify the 'name', 'description', and 'compartment_id' as per your requirements.
user = oci.identity.User("ai_app_user",
    name="ai_app_user",  # A name for the user, usually descriptive
    description="User for AI application authentication"
)

# Normally, you would generate your API key pair outside of your Pulumi application, 
# this is a necessary manual step:
# $ openssl genrsa -out oci_api_key.pem 2048
# $ openssl rsa -pubout -in oci_api_key.pem -out oci_api_key_public.pem

# Step 2: Read in the public key value from a file
# This public key should be the result of your `openssl` key generation command.
with open('oci_api_key_public.pem', 'r') as key_file:
    public_key = key_file.read()

# Step 3: Upload the public key as part of the OCI Identity ApiKey resource.
# 'user_id' is obtained from the user resource created above.
api_key = oci.identity.ApiKey("ai_app_api_key",
    user_id=user.id,
    key_value=public_key
)

# Export the created API key's fingerprint which is required for authentication in OCI services.
pulumi.export("api_key_fingerprint", api_key.fingerprint)
```

You would replace `'oci_api_key_public.pem'` with the path to your public key file.

**NOTE**: The private key that pairs with this public key should be handled securely as it provides programmatic access to OCI as the user it was created for. Never commit it to source control or share it.

Once you have the API key set up, your application can use it to make authenticated calls to OCI services by signing the request with the private part of the API key. The exact details of how to sign the request depend on the API and the programming language you are using.

Ensure that the Pulumi CLI is set up with the necessary OCI configurations to run the program effectively, and OCI permissions are in place to create users and upload API keys.

Remember to replace placeholders like `'oci_api_key_public.pem'` and `'compartment_id'` with your actual file path and OCI compartment ID. If you're handling multiple environments or users, you should manage these configurations securely, for example, using Pulumi's configuration system or environment variables, and not hard-code them into your source code.