Creating OCI Admins from the Terminal
Friday, 3 May 2024
Oracle recently migrated both my OCI tenancies to a new login system, and all 2FA was broken. This made my admin login somewhat more difficult.
Assuming you still have your OCI API keys, it’s entirely possible to create a new admin account from the comfort of your terminal. This can then be used to clean up the mess.
First up, create a user, the name isn’t important, but the presence of a valid email address is – we’ll need this to send the password enrollment request.
$ oci iam user create --name dch \
--compartment-id ocid1.tenancy.oc1..... \
--email dch@.. \
--description "My Secret Back Door"{
"data": {
"capabilities": {
"can-use-api-keys": true,
"can-use-auth-tokens": true,
"can-use-console-password": true,
"can-use-customer-secret-keys": true,
"can-use-db-credentials": true,
"can-use-o-auth2-client-credentials": true,
"can-use-smtp-credentials": true
},
"compartment-id": "ocid1.tenancy.oc1...",
"db-user-name": null,
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "default/dch@...",
"CreatedOn": "2024-05-02T09:05:43.650Z"
}
},
"description": "My Secret Back Door",
"email": "dch@...",
"email-verified": false,
"external-identifier": "b52d9...",
"freeform-tags": {},
"id": "ocid1.user.oc1...",
"identity-provider-id": null,
"inactive-status": null,
"is-mfa-activated": false,
"last-successful-login-time": null,
"lifecycle-state": "ACTIVE",
"name": "dch",
"previous-successful-login-time": null,
"time-created": "2024-05-02T09:05:43.681000+00:00"
},
"etag": "2b623fa859be42d6bf6d4c612bf406e7"
}
Note the new id field, nothing else is required.
Next up, let’s put this user into the administrators group:
$ oci iam group list{
"data": [
{
"compartment-id": "ocid1.tenancy.oc1...",
"defined-tags": {
"Oracle-Tags": {
"CreatedBy": "identity",
"CreatedOn": "2023-10-12T01:23:42.271Z"
}
},
"description": "Administrators",
"freeform-tags": {},
"id": "ocid1.group.oc1...",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "Administrators",
"time-created": "2021-06-13T13:46:05.728000+00:00"
},
{
"compartment-id": "ocid1.tenancy.oc1...",
"defined-tags": {},
"description": "A group representing all users.",
"freeform-tags": {},
"id": "ocid1.group.oc1...",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "All Domain Users",
"time-created": "2023-10-12T01:23:30.423000+00:00"
}
]
}$ oci iam group add-user \
--group-id ocid1.group.oc1... \
--user-id ocid1.user.oc1...{
"data": {
"compartment-id": "ocid1.tenancy.oc1...",
"group-id": "ocid1.group.oc1...",
"id": "ocid1.groupmembership.oc1...",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"time-created": "2024-05-02T09:10:02.893000+00:00",
"user-id": "ocid1.user.oc1..."
}
}Finally, upload your API signing public key.
$ oci iam user api-key upload \
--user-id ocid1.user.oc1... \
--key-file ~/.oci/api.pub{
"data": {
"fingerprint": "12:34:56:78:9a:bc:de:f0",
"inactive-status": null,
"key-id": "ocid1.tenancy.oc1...",
"key-value": "-----BEGIN PUBLIC KEY--\n...\n-----END PUBLIC KEY-----",
"lifecycle-state": "ACTIVE",
"time-created": "2024-05-02T09:19:19.197000+00:00",
"user-id": "ocid1.user.oc1..."
},
"etag": "c280d920a78e421d95a37628daf25148"
}Then, check your email, log in, and fix whatever you need.
Remember to set up MFA credentials, and make sure you have:
- the convenient Oracle push notification MFA
- non-Oracle MFA as well
- bypass code stored safely
It’s also possible to reset passwords from the CLI:
$ oci iam user ui-password create-or-reset \
--user-id ocid1.user.oc1...{
"data": {
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"password": ".......",
"time-created": "2024-04-30T10:48:18.809000+00:00",
"user-id": "ocid1.user.oc1..."
},
"etag": "d8797afa54604bc290634901c309f108"
}