OCI #4 – API Signing Key

This guide shows how to create a new API Signing Key Pair that is required to use Oracle Cloud Infrastructure REST API.

Before you start, it is recommended that you create a dedicated service admin user for Oracle Cloud Infrastructure, instead of using your Oracle Cloud superuser. See: Service administrator account best practice, if needed.

Oracle Cloud Infrastructure exposes a comprehensive REST API to manage OCI resources and configurations. Every successful API call results in a management task being performed on behalf of a particular user defined in OCI. OCI must know how to associate an OCI REST API request with a particular user. This is done through signing the requests.

Signing a request is a multi-step process that can be seen as non-trivial. First, parts of the request are used to compose the signing string. Next, a private key is used to create the signature from the signing string. Finally, the signature is added together with some metadata to the Authorization header of the request. In order to authenticate the client and authorize the requested operation, the corresponding public key has to be uploaded and associated with the given OCI user.

Generating the key pair

We will use openssl program to generate the API Signing Key Pair. We are going to employ RSA algorithm, use the recommended 2048 bits and generate the keys in PEM format. You will be prompted to enter a new passphrase for the newly generated key twice. Remember to restrict the access to the private key.

$ openssl genrsa -out apiuser.pem -aes128 2048
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)
Enter pass phrase for apiuser.pem:
Verifying - Enter pass phrase for apiuser.pem:
$ chmod go-r apiuser.pem
$ ls -l | grep pem
-rw-------    1 michal  staff     1766 Oct  3 21:24 apiuser.pem
$ openssl rsa -pubout -in apiuser.pem -out apiuser.pem.pub
Enter pass phrase for apiuser.pem:
writing RSA key
$ ls -l | grep pem
-rw-------    1 michal  staff     1766 Oct  3 21:24 apiuser.pem
-rw-r--r--    1 michal  staff      451 Oct  3 21:26 apiuser.pem.pub
$ cat apiuser.pem.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2UEWK5p5bX50/IyBsFke
VbhCLta42J5IgfMmLN7FRjOGT+CbL6aYHfRgNxvUgWqSYGbwgtNvOnp7Fre397Sa
qYVcH3w0R2O1WbQJJJmuqNhjQ01N48odN49nqeZQF9ED7SshBM+fAU7Dtt9XTuYG
5wnpK0DRlw4BFwfXoaLQJ4Gxhpsr2eA/JMCpJs4dFIEjTMshQBQ9JLYxBAo8cU6Z
s5kwRG7ZpygLVRGbpUiu4Iwu5fm2DhWNLQRHGBTjMFM9EfWRBawIoKHXBUMIQB4t
GMMqA7dFpKlJRhAPrM/Ai0k4fCNJOKfzLLTDOC3DGDcEZlljh17MiCApHWoHnewS
iQIDAQAB
-----END PUBLIC KEY-----

Uploading the public key

  1. Go to Identity ➟ Users and select the user you would like to be “api-enabled”.
  2. Click on Add Public Key and paste the newly generated public key.

oci-04-step1

You will also need the fingerprint of the key to sign the requests. The fingerprint for each associated public key can be found in API Keys tab.

oci-04-step2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s