Oracle Cloud + Steampipe
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Oracle Cloud provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.
For example:
select name, id, is_mfa_activatedfrom oci_identity_user;
+-----------------+------------------------+------------------+| name | id | is_mfa_activated |+-----------------+------------------------+------------------+| pam_beesly | ocid1.user.oc1.aaaa... | false || creed_bratton | ocid1.user.oc1.aaaa... | true || stanley_hudson | ocid1.user.oc1.aaaa... | false || michael_scott | ocid1.user.oc1.aaaa... | false || dwight_schrute | ocid1.user.oc1.aaaa... | true |+-----------------+------------------------+------------------+
Documentation
Get started
Install
Download and install the latest Oracle Cloud plugin:
steampipe plugin install oci
Credentials
Item | Description |
---|---|
Credentials | Create API keys for your user and add to default OCI configuration: ~/.oci/config |
Permissions | Use policy builder to enable your group with following permissions:Allow group {group_name} to read all-resources in tenancy Allow group {group_name} to manage all-resources in tenancy where request.operation='GetConfiguration' GetConfiguration for all-resources is required for oci_identity_tenancy table. |
Radius | Each connection represents a single OCI Tenant. |
Resolution | 1. Static credentials in the configuration file with the tenancy_ocid , user_ocid , fingerprint and private_key_path arguments .2. Named profile from an OCI config file(~/.oci/config) with the config_file_profile argument. 3. Named profile containing security token. 4. Instance Principal based authentication. Note: this configuration will only work when run from an OCI instance. 5. If no credentials are specified, the plugin will use the OCI Default Connection |
Configuration
Installing the latest oci plugin will create a config file (~/.steampipe/config/oci.spc
) with a single connection named oci
:
connection "oci_tenant_y" { plugin = "oci"
# Name of the profile. #config_file_profile = "DEFAULT"
# Path to config file #config_path = "~/.oci/config"
# List of regions #regions = ["ap-mumbai-1", "us-ashburn-1"]
# The maximum number of attempts (including the initial call) Steampipe will # make for failing API calls. Defaults to 9 and must be greater than or equal to 1. #max_error_retry_attempts = 9
# The minimum retry delay in milliseconds after which retries will be performed. # This delay is also used as a base value when calculating the exponential backoff retry times. # Defaults to 25ms and must be greater than or equal to 1ms. #min_error_retry_delay = 25}
config_file_profile
(Optional) OCI profile name to use for credentials.config_path
(Optional) Path of the config file where subjected profile is available.max_error_retry_attempts
(Optional) The maximum number of attempts (including the initial call) Steampipe will make for failing API calls. Defaults to 9 and must be greater than or equal to 1.min_error_retry_delay
(Optional) The minimum retry delay in milliseconds after which retries will be performed. This delay is also used as a base value when calculating the exponential backoff retry times. Defaults to 25ms and must be greater than or equal to 1ms.regions
(Optional) List of OCI regions Steampipe will connect to
Get involved
- Open source: https://github.com/turbot/steampipe-plugin-oci
- Community: Slack Channel
Advanced configuration options
If you have an OCI profile setup for using the OCI CLI, Steampipe will just work with that connection.
For users with multiple accounts and more complex authentication use cases, here are some examples of advanced configuration options:
Use static credentials
The OCI plugin allows you set static credentials with the tenancy_ocid, user_ocid, fingerprint and private_key_path arguments. You may select one or more regions with the regions argument.
connection "oci_tenant_x" { plugin = "oci" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa111111111bbbbbbbetci3yjjnjqmfkr4pab12cd45gh56hm76cyljaq" user_ocid = "ocid1.user.oc1..aaaaaaaa111111111bbbbbbb2oixpabcd7a3jkl6yife75v7a7o6c5d6wclrsjia" fingerprint = "9a:a1:b2:c3:d4:e5:6f:7g:89:33:5f:ed:ab:ec:de:11" private_key_path = "~/.ssh/oci_private.pem" # Path to user's private key regions = ["ap-mumbai-1", "us-ashburn-1"] # List of regions to query resources}
Using a named profile
If you have an OCI config file(~/.oci/config) with multiple profiles setup, you can set the config_file_profile argument:
connection "oci" { plugin = "oci" config_file_profile = "DEFAULT" # Name of the profile in the OCI config file config_path = "~/.oci/config" # Path to config file regions = ["ap-mumbai-1", "us-ashburn-1"] # List of regions to query resources}
connection "oci_tenant_x" { plugin = "oci" config_file_profile = "tenant_x" # Name of the profile in the OCI config file config_path = "~/.oci/config" # Path to config file regions = ["ap-mumbai-1", "us-ashburn-1"] # List of regions to query resources}
Using a named profile containing security token
connection "oci_tenant_z" { plugin = "oci" auth = "SecurityToken" # Type of authentication config_file_profile = "tenant_z" # OCI Profile containing the details of the token regions = ["ap-mumbai-1"]}
Instance principal based authentication
This configuration will only work when run from an OCI instance. More information on using Instance Principals:
connection "oci" { plugin = "oci" auth = "InstancePrincipal" # Type of authentication}