Table: oci_identity_api_key - Query OCI Identity API Keys using SQL
Oracle Cloud Infrastructure's Identity and Access Management (IAM) service lets you control who has access to your cloud resources. You can control what type of access a group of users have and to which specific resources. This is achieved through the use of API Keys, which are used for authentication when making REST API calls to OCI services.
Table Usage Guide
The oci_identity_api_key table provides insights into API Keys within OCI Identity and Access Management (IAM). As a security analyst, explore key-specific details through this table, including its creation time, fingerprint, and associated user ID. Utilize it to uncover information about keys, such as those that are inactive, the users associated with each key, and the verification of key status.
Examples
Basic info
Explore which API keys have been created, by whom, and when, to gain insights into your organization's usage and security practices. This can help identify instances where keys may be outdated or potentially misused.
select key_id, key_value, user_id, user_name, time_created, fingerprintfrom oci_identity_api_key;select key_id, key_value, user_id, user_name, time_created, fingerprintfrom oci_identity_api_key;List inactive API keys
Explore which API keys are inactive to ensure your system's security by identifying any unused or potentially compromised keys. This will help maintain the integrity of your system by preventing unauthorized access.
select key_id, key_value, user_id, user_name, time_created, fingerprintfrom oci_identity_api_key;where lifecycle_state = 'INACTIVE';select key_id, key_value, user_id, user_name, time_created, fingerprintfrom oci_identity_api_keywhere lifecycle_state = 'INACTIVE';Count API keys by user
Gain insights into how many API keys each user possesses, which can help monitor user access and identify potential security risks.
select user_id, count (*) as api_key_countfrom oci_identity_api_keygroup by user_id;select user_id, count (*) as api_key_countfrom oci_identity_api_keygroup by user_id;Query examples
Control examples
- 1.11 Ensure API keys are not created for tenancy administrator users
- 1.11 Ensure API keys are not created for tenancy administrator users
- 1.12 Ensure API keys are not created for tenancy administrator users
- 1.8 Ensure user API keys rotate within 90 days
- 1.8 Ensure user API keys rotate within 90 days or less
- 1.8 Ensure user API keys rotate within 90 days or less
Schema for oci_identity_api_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| fingerprint | text | The key's fingerprint. | |
| inactive_status | bigint | The detailed status of INACTIVE lifecycleState. | |
| key_id | text | An Oracle-assigned identifier for the key. | |
| key_value | text | The key's value. | |
| lifecycle_state | text | The API key's current state. | |
| tenant_id | text | The OCID of the Tenant in which the resource is located. | |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | Date and time the `ApiKey` object was created. | |
| title | text | Title of the resource. | |
| user_id | text | = | The OCID of the user the key belongs to. |
| user_name | text | The name of the user the key belongs to. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_identity_api_key