The Oracle Cloud Infrastructure (OCI) provider for Pulumi uses the OCI SDK to manage and provision resources.


The OCI provider is available as a package in all Pulumi languages:

Configuring Credentials

Pulumi relies on the OCI SDK to authenticate requests from your computer to OCI. Your credentials are never sent to Pulumi.

Use the Required Keys and OCIDs chapter of the OCI Developer Guide to learn:

Once you have generated an API signing key pair and have your tenancy and user OCIDs you can make them available using either environment variables or Pulumi configuration.

Environment Variables

export TF_VAR_tenancy_ocid="ocid1.tenancy.oc1..<unique_ID>"
export TF_VAR_user_ocid="ocid1.user.oc1..<unique_ID>"
export TF_VAR_fingerprint="<key_fingerprint>"
export TF_VAR_region="us-ashburn-1"
export TF_VAR_private_key_path="/path/to/oci_api_key.pem"

Pulumi Configuration

If you prefer to store the credentials alongside your Pulumi stack for multi-user access:

pulumi config set oci:tenancyOcid "ocid1.tenancy.oc1..<unique_ID>" --secret
pulumi config set oci:userOcid "ocid1.user.oc1..<unique_ID>" --secret
pulumi config set oci:fingerprint "<key_fingerprint>" --secret
pulumi config set oci:region "us-ashburn-1"
# Set the private key from standard input to retain the format
cat "~/.oci/oci_api_key.pem" | pulumi config set oci:privateKey --secret

Remember to pass --secret when setting oci:secretKey so that it is properly encrypted.

Configuration options

The following configuration options are available for the oci provider:

OptionEnvironment variableDescription
oci:tenancyOcidTF_VAR_tenancy_ocidOCID of your tenancy.
oci:userOcidTF_VAR_user_ocidOCID of the user calling the API.
oci:privateKeyTF_VAR_private_keyThe contents of the private key file. Required if privateKeyPath is not defined and takes precedence if both are defined.
oci:privateKeyPathTF_VAR_private_key_pathThe path (including filename) of the private key stored on your computer. Required if privateKey is not defined.
oci:privateKeyPasswordTF_VAR_private_key_passwordPassphrase used for the key, if it is encrypted.
oci:fingerprintTF_VAR_fingerprintFingerprint for the key pair being used.
oci:regionTF_VAR_regionAn OCI region.
oci:configFileProfileTF_VAR_config_file_profileThe custom profile to use instead of the DEFAULT profile in .oci/config.