OCI #4 – API Signing Key

This guide shows how to create a new API Signing Key Pair that is required to use Oracle Cloud Infrastructure REST API.

Before you start, it is recommended that you create a dedicated service admin user for Oracle Cloud Infrastructure, instead of using your Oracle Cloud superuser. See: Service administrator account best practice, if needed.

Oracle Cloud Infrastructure exposes a comprehensive REST API to manage OCI resources and configurations. Every successful API call results in a management task being performed on behalf of a particular user defined in OCI. OCI must know how to associate an OCI REST API request with a particular user. This is done through signing the requests.

Signing a request is a multi-step process that can be seen as non-trivial. First, parts of the request are used to compose the signing string. Next, a private key is used to create the signature from the signing string. Finally, the signature is added together with some metadata to the Authorization header of the request. In order to authenticate the client and authorize the requested operation, the corresponding public key has to be uploaded and associated with the given OCI user.

Generating the key pair

We will use openssl program to generate the API Signing Key Pair. We are going to employ RSA algorithm, use the recommended 2048 bits and generate the keys in PEM format. You will be prompted to enter a new passphrase for the newly generated key twice. Remember to restrict the access to the private key.

$ openssl genrsa -out apiuser.pem -aes128 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for apiuser.pem:
Verifying - Enter pass phrase for apiuser.pem:
$ chmod go-r apiuser.pem
$ ls -l | grep pem
-rw-------    1 michal  staff     1766 Oct  3 21:24 apiuser.pem
$ openssl rsa -pubout -in apiuser.pem -out apiuser.pem.pub
Enter pass phrase for apiuser.pem:
writing RSA key
$ ls -l | grep pem
-rw-------    1 michal  staff     1766 Oct  3 21:24 apiuser.pem
-rw-r--r--    1 michal  staff      451 Oct  3 21:26 apiuser.pem.pub
$ cat apiuser.pem.pub
-----END PUBLIC KEY-----

Uploading the public key

  1. Go to Identity ➟ Users and select the user you would like to be “api-enabled”.
  2. Click on Add Public Key and paste the newly generated public key.


You will also need the fingerprint of the key to sign the requests. The fingerprint for each associated public key can be found in API Keys tab.