Managing Service Account Keys for AI Services on OCI

Question

Pulumi · Accepted Answer

When managing cloud infrastructure, service accounts are vital for carrying out operations and accessing resources programmatically. They allow automated processes like continuous deployment pipelines, monitoring systems, or AI services to interact with cloud resources securely.

In the context of Oracle Cloud Infrastructure (OCI), service accounts are represented by user accounts that are used by applications (rather than individuals) to interact with OCI services. Service account keys are credentials associated with these accounts that can authenticate and authorize access to OCI resources.

To manage service account keys for AI services on OCI with Pulumi, we can use the `oci` Pulumi provider. This provider enables the management of OCI resources with infrastructure as code, which includes creating service accounts and managing their keys.

Here's a program in Python that demonstrates how to create a service account and generate a key for it:

```python
import pulumi
import pulumi_oci as oci

# Create a new Compartment for the service account
compartment = oci.identity.Compartment("aiCompartment",
                                       description="Compartment for AI service account",
                                       enable_delete=True)

# Create the service account (also known as a user in OCI terms)
service_account = oci.identity.User("aiServiceAccount",
                                    description="Service Account for AI services",
                                    compartment_id=compartment.id)

# Generate a new API signing key for the service account
api_key = oci.identity.ApiKey("aiServiceAccountApiKey",
                              user_id=service_account.id,
                              key_value=pulumi.Output.secret("KEY_VALUE_HERE")) # Replace `KEY_VALUE_HERE` with the actual private key value

# Export the user OCID and the generated key OCID
pulumi.export("user_ocid", service_account.id)
pulumi.export("api_key_fingerprint", api_key.fingerprint)
```

In this program:

- We start by importing the necessary modules from Pulumi and the oci provider.
- We create a new OCI compartment called `aiCompartment` which serves as a logical isolation container to organize resources.
- Then, we create a new OCI user called `aiServiceAccount` inside the compartment. This user represents the service account for AI services.
- Once the service account is created, we use the `oci.identity.ApiKey` class to generate an API signing key which is necessary for the service account to authenticate against OCI APIs.
- `key_value` should be set to the private key that corresponds to the public key uploaded to OCI. For security, this value is kept secret using `pulumi.Output.secret`.
- Finally, we export the `user_ocid` and `api_key_fingerprint` for reference outside of Pulumi, which could be useful in CI/CD pipelines or other automation tools.

This program sets the stage for your AI-related automation by providing it with a dedicated identity and secure means of interacting with the necessary OCI services. For real-world usage, you would replace `"KEY_VALUE_HERE"` with actual sensitive information, ensuring proper security practices, like storing such values in a secure secrets management system rather than hardcoding them in your Pulumi code.