This guide shows how to create a new API Signing Key Pair that is required to use Oracle Cloud Infrastructure REST API.
Before you start, it is recommended that you create a dedicated service admin user for Oracle Cloud Infrastructure, instead of using your Oracle Cloud superuser. See: Service administrator account best practice, if needed.
Oracle Cloud Infrastructure exposes a comprehensive REST API to manage OCI resources and configurations. Every successful API call results in a management task being performed on behalf of a particular user defined in OCI. OCI must know how to associate an OCI REST API request with a particular user. This is done through signing the requests.
Signing a request is a multi-step process that can be seen as non-trivial. First, parts of the request are used to compose the signing string. Next, a private key is used to create the signature from the signing string. Finally, the signature is added together with some metadata to the Authorization header of the request. In order to authenticate the client and authorize the requested operation, the corresponding public key has to be uploaded and associated with the given OCI user.
Generating the key pair
We will use openssl program to generate the API Signing Key Pair. We are going to employ RSA algorithm, use the recommended 2048 bits and generate the keys in PEM format. You will be prompted to enter a new passphrase for the newly generated key twice. Remember to restrict the access to the private key.
$ openssl genrsa -out apiuser.pem -aes128 2048 Generating RSA private key, 2048 bit long modulus .............+++ ..+++ e is 65537 (0x10001) Enter pass phrase for apiuser.pem: Verifying - Enter pass phrase for apiuser.pem: $ chmod go-r apiuser.pem $ ls -l | grep pem -rw------- 1 michal staff 1766 Oct 3 21:24 apiuser.pem $ openssl rsa -pubout -in apiuser.pem -out apiuser.pem.pub Enter pass phrase for apiuser.pem: writing RSA key $ ls -l | grep pem -rw------- 1 michal staff 1766 Oct 3 21:24 apiuser.pem -rw-r--r-- 1 michal staff 451 Oct 3 21:26 apiuser.pem.pub $ cat apiuser.pem.pub -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2UEWK5p5bX50/IyBsFke VbhCLta42J5IgfMmLN7FRjOGT+CbL6aYHfRgNxvUgWqSYGbwgtNvOnp7Fre397Sa qYVcH3w0R2O1WbQJJJmuqNhjQ01N48odN49nqeZQF9ED7SshBM+fAU7Dtt9XTuYG 5wnpK0DRlw4BFwfXoaLQJ4Gxhpsr2eA/JMCpJs4dFIEjTMshQBQ9JLYxBAo8cU6Z s5kwRG7ZpygLVRGbpUiu4Iwu5fm2DhWNLQRHGBTjMFM9EfWRBawIoKHXBUMIQB4t GMMqA7dFpKlJRhAPrM/Ai0k4fCNJOKfzLLTDOC3DGDcEZlljh17MiCApHWoHnewS iQIDAQAB -----END PUBLIC KEY-----
Uploading the public key
- Go to Identity ➟ Users and select the user you would like to be “api-enabled”.
- Click on Add Public Key and paste the newly generated public key.
You will also need the fingerprint of the key to sign the requests. The fingerprint for each associated public key can be found in API Keys tab.