Cloud

Connect Oracle Cloud Infrastructure

Signs read-only OCI API calls (HTTP-signature, no SDK) to read Cloud Guard problems, IAM posture, compartments, resource inventory, monitoring alarms, spend, and database-service posture (availability, versions, backups) — feeding Cloud Health, Security Readiness, and the Lifecycle (EOL) inventory.

What you'll need

An API-only IAM user in a read-only group with inspect/read policy statements (all-resources inspect, plus read on cloud-guard-family, database-family, usage-reports, metrics, and alarms), its API signing key (tenancy OCID, user OCID, key fingerprint, private key PEM), and your home region. Cloud Guard must be enabled for security posture — if it's off, the connector reports security as unmeasured rather than faking a clean posture.

Credential

API signing key on a read-only IAM group

Requested scopes

inspect all-resources, read cloud-guard-family, read database-family, read usage-reports, read metrics, read alarms

Powers

Cloud Health, Security Readiness, Lifecycle Risk

What it pulls

Authenticating user (validate), compartments, IAM users/groups/policies, Cloud Guard open problems bucketed by risk level (critical/high/medium), monitoring alarms + firing status, resource inventory count (Resource Search), Usage API last-30-day spend, and Oracle Database service posture: Autonomous Database + DB system availability, database versions (→ EOL inventory), and automatic-backup status.

What you’ll enter

The exact fields the connect form asks for — and where to find each value.

Tenancy OCID
OCI console → profile menu → Tenancy → copy the OCID — or take it from the configuration-file preview shown when you add the API key.
User OCID
The API-only user you created: Identity & Security → Domains → Users → open the user → copy its OCID.
API key fingerprint
Shown beside the API key after you add it to the user (colon-separated hex pairs). It identifies WHICH key signs — it must match the private key below.
Private key (PEM)
The .pem file downloaded when you generated the API key pair (shown once). Paste the WHOLE file including the BEGIN/END lines. Encrypted at rest; only ever used to sign read-only requests.
Home region
Your tenancy's home region identifier from the console's region menu (e.g. us-ashburn-1, eu-frankfurt-1).

Step-by-step setup

  1. 1

    Create a read-only IAM group and policy

    OCI console → Identity & Security → Domains → your domain → Groups → create a group (e.g. shipready-metrics-readonly). Then Identity & Security → Policies → Create Policy (in the root compartment) with read-only statements such as: “Allow group shipready-metrics-readonly to inspect all-resources in tenancy”, plus “… to read cloud-guard-family in tenancy”, “… to read database-family in tenancy”, “… to read usage-reports in tenancy”, “… to read metrics in tenancy”, and “… to read alarms in tenancy”. Never grant manage or use verbs.

  2. 2

    Create an API-only user in that group

    Domains → your domain → Users → Create user (e.g. shipready-metrics). Skip console password setup — this is an API-only identity. Add it to the read-only group from step 1.

  3. 3

    Add an API signing key and copy the config values

    Open the user → API keys → Add API key → Generate API key pair → Download private key (a .pem file, shown once), then Add. The console shows a configuration-file preview — copy the tenancy OCID (ocid1.tenancy…), user OCID (ocid1.user…), the key fingerprint (aa:bb:…), and your region identifier (e.g. us-ashburn-1) from it.

  4. 4

    Enable Cloud Guard for security posture (recommended)

    Identity & Security → Cloud Guard → Enable, monitoring the root compartment. Without Cloud Guard the connector still syncs IAM, inventory, spend, and database posture — security posture shows as unmeasured, never a fake clean score.

  5. 5

    Enter the five values and connect

    Fill tenancy OCID, user OCID, key fingerprint, the private key PEM (paste the whole .pem file), and region, then click Connect — we validate the signing key live against Identity, encrypt the key at rest, and run the first read-only sync.

Compliance evidence

Signals this connector collects that support audit-readiness evidence across SOC 2, ISO 27001, NIST CSF, CIS, PCI DSS, and SOX programs. This documents coverage — evidence acceptance always stays with your human reviewers.

IAM users, groups, and policies
Access Control
Cloud Guard problems (security posture)
Cloud Security Monitoring & Detection
Monitoring alarms + firing status
Monitoring & Incident Detection
Compartments + resource inventory
Asset Inventory
Database automatic-backup status
Backup & Recovery
Database versions & availability
Configuration & Vulnerability Management

Troubleshooting

401 NotAuthenticated on connect.
The signature didn't verify: re-check that the fingerprint matches the API key you uploaded, the user/tenancy OCIDs come from the same tenancy, and the private key is the FULL .pem contents (including BEGIN/END lines) of the key pair you generated in the console.
404 NotAuthorizedOrNotFound on sync sections.
OCI returns 404 (not 403) when the policy doesn't grant read access. Attach the read-only policy statements from step 1 to the user's group in the ROOT compartment so they cover the whole tenancy, then re-sync.
Connected but security posture shows unmeasured.
Cloud Guard isn't enabled in the tenancy (or the policy lacks read cloud-guard-family). Enable Cloud Guard targeting the root compartment — the connector reports unmeasured rather than faking a clean posture until it can read real problems.
Wrong-region errors or empty inventory.
Use your tenancy's home region identifier (e.g. us-ashburn-1, eu-frankfurt-1) from the console's region menu. IAM reads go to the home region; resources in other regions still appear via Resource Search and Cloud Guard when configured tenancy-wide.
Create an OCI API signing key → Connect in the app

Read-only API signing key, OCI HTTP-signature signed (no SDK; deterministic signer unit-tested). Validated live against Identity, then Cloud Guard + Monitoring + Resource Search + Usage + Database services, each section best-effort. Mocked-fetch verified; live ingestion activates and is verified when a customer tenancy connects.