Cloud
Connect Oracle Cloud Infrastructure
Signs read-only OCI API calls (HTTP-signature, no SDK) to read Cloud Guard problems, IAM posture, compartments, resource inventory, monitoring alarms, spend, and database-service posture (availability, versions, backups) — feeding Cloud Health, Security Readiness, and the Lifecycle (EOL) inventory.
What it pulls
Authenticating user (validate), compartments, IAM users/groups/policies, Cloud Guard open problems bucketed by risk level (critical/high/medium), monitoring alarms + firing status, resource inventory count (Resource Search), Usage API last-30-day spend, and Oracle Database service posture: Autonomous Database + DB system availability, database versions (→ EOL inventory), and automatic-backup status.
What you’ll enter
The exact fields the connect form asks for — and where to find each value.
- Tenancy OCID
- OCI console → profile menu → Tenancy → copy the OCID — or take it from the configuration-file preview shown when you add the API key.
- User OCID
- The API-only user you created: Identity & Security → Domains → Users → open the user → copy its OCID.
- API key fingerprint
- Shown beside the API key after you add it to the user (colon-separated hex pairs). It identifies WHICH key signs — it must match the private key below.
- Private key (PEM)
- The .pem file downloaded when you generated the API key pair (shown once). Paste the WHOLE file including the BEGIN/END lines. Encrypted at rest; only ever used to sign read-only requests.
- Home region
- Your tenancy's home region identifier from the console's region menu (e.g. us-ashburn-1, eu-frankfurt-1).
Step-by-step setup
- 1
Create a read-only IAM group and policy
OCI console → Identity & Security → Domains → your domain → Groups → create a group (e.g. shipready-metrics-readonly). Then Identity & Security → Policies → Create Policy (in the root compartment) with read-only statements such as: “Allow group shipready-metrics-readonly to inspect all-resources in tenancy”, plus “… to read cloud-guard-family in tenancy”, “… to read database-family in tenancy”, “… to read usage-reports in tenancy”, “… to read metrics in tenancy”, and “… to read alarms in tenancy”. Never grant manage or use verbs.
- 2
Create an API-only user in that group
Domains → your domain → Users → Create user (e.g. shipready-metrics). Skip console password setup — this is an API-only identity. Add it to the read-only group from step 1.
- 3
Add an API signing key and copy the config values
Open the user → API keys → Add API key → Generate API key pair → Download private key (a .pem file, shown once), then Add. The console shows a configuration-file preview — copy the tenancy OCID (ocid1.tenancy…), user OCID (ocid1.user…), the key fingerprint (aa:bb:…), and your region identifier (e.g. us-ashburn-1) from it.
- 4
Enable Cloud Guard for security posture (recommended)
Identity & Security → Cloud Guard → Enable, monitoring the root compartment. Without Cloud Guard the connector still syncs IAM, inventory, spend, and database posture — security posture shows as unmeasured, never a fake clean score.
- 5
Enter the five values and connect
Fill tenancy OCID, user OCID, key fingerprint, the private key PEM (paste the whole .pem file), and region, then click Connect — we validate the signing key live against Identity, encrypt the key at rest, and run the first read-only sync.
Compliance evidence
Signals this connector collects that support audit-readiness evidence across SOC 2, ISO 27001, NIST CSF, CIS, PCI DSS, and SOX programs. This documents coverage — evidence acceptance always stays with your human reviewers.
- IAM users, groups, and policies
- Access Control
- Cloud Guard problems (security posture)
- Cloud Security Monitoring & Detection
- Monitoring alarms + firing status
- Monitoring & Incident Detection
- Compartments + resource inventory
- Asset Inventory
- Database automatic-backup status
- Backup & Recovery
- Database versions & availability
- Configuration & Vulnerability Management
Troubleshooting
- 401 NotAuthenticated on connect.
- The signature didn't verify: re-check that the fingerprint matches the API key you uploaded, the user/tenancy OCIDs come from the same tenancy, and the private key is the FULL .pem contents (including BEGIN/END lines) of the key pair you generated in the console.
- 404 NotAuthorizedOrNotFound on sync sections.
- OCI returns 404 (not 403) when the policy doesn't grant read access. Attach the read-only policy statements from step 1 to the user's group in the ROOT compartment so they cover the whole tenancy, then re-sync.
- Connected but security posture shows unmeasured.
- Cloud Guard isn't enabled in the tenancy (or the policy lacks read cloud-guard-family). Enable Cloud Guard targeting the root compartment — the connector reports unmeasured rather than faking a clean posture until it can read real problems.
- Wrong-region errors or empty inventory.
- Use your tenancy's home region identifier (e.g. us-ashburn-1, eu-frankfurt-1) from the console's region menu. IAM reads go to the home region; resources in other regions still appear via Resource Search and Cloud Guard when configured tenancy-wide.
Read-only API signing key, OCI HTTP-signature signed (no SDK; deterministic signer unit-tested). Validated live against Identity, then Cloud Guard + Monitoring + Resource Search + Usage + Database services, each section best-effort. Mocked-fetch verified; live ingestion activates and is verified when a customer tenancy connects.