Table: oci_identity_auth_token - Query OCI Identity Auth Tokens using SQL
An OCI Identity Auth Token is a feature within Oracle Cloud Infrastructure that allows you to manage and authenticate API requests in OCI services. It provides a secure way to authenticate requests made to OCI resources, including compute instances, databases, and storage services. OCI Identity Auth Tokens help you manage the security and integrity of your OCI resources by providing a means to authenticate requests without exposing your user credentials.
Table Usage Guide
The oci_identity_auth_token table provides insights into Auth Tokens within Oracle Cloud Infrastructure (OCI). As a Security Administrator, explore token-specific details through this table, including its status, description, and associated user details. Utilize it to uncover information about tokens, such as those that are inactive, the users associated with each token, and the lifecycle state of these tokens.
Examples
Basic info
Explore which authentication tokens have been created within your Oracle Cloud Infrastructure, along with their associated user details and creation timestamps. This can aid in understanding user activity and tracking token usage.
select id, user_id, user_name, time_createdfrom oci_identity_auth_token;select id, user_id, user_name, time_createdfrom oci_identity_auth_token;List inactive auth tokens
Explore which authentication tokens are inactive. This can help in identifying potential security risks, as inactive tokens can be a sign of unauthorized access or outdated user credentials.
select id, user_id, user_name, lifecycle_state, time_createdfrom oci_identity_auth_tokenwhere lifecycle_state = 'INACTIVE';select id, user_id, user_name, lifecycle_state, time_createdfrom oci_identity_auth_tokenwhere lifecycle_state = 'INACTIVE';Count the number of auth tokens by user
Analyze the settings to understand the distribution of authentication tokens across different users. This is useful to monitor user activity and ensure that no user is generating an excessive number of tokens, which could be a potential security risk.
select user_id, user_name, count (id) as auth_token_countfrom oci_identity_auth_tokengroup by user_name, user_id;select user_id, user_name, count (id) as auth_token_countfrom oci_identity_auth_tokengroup by user_name, user_id;List auth tokens older than 90 days
Explore which authentication tokens have been active for more than 90 days. This can be useful for identifying potential security risks and maintaining system integrity.
select id, user_id, user_name, lifecycle_state, time_createdfrom oci_identity_auth_tokenwhere time_created <= (current_date - interval '90' day)order by time_created;select id, user_id, user_name, lifecycle_state, time_createdfrom oci_identity_auth_tokenwhere time_created <= date('now', '-90 day')order by time_created;Query examples
Control examples
- CIS v1.1.0 > 1 Identity and Access Management > 1.10 Ensure user auth tokens rotate within 90 days or less
- CIS v1.2.0 > 1 Identity and Access Management > 1.10 Ensure user auth tokens rotate within 90 days or less
- CIS v2.0.0 > 1 Identity and Access Management > 1.10 Ensure user auth tokens rotate within 90 days or less
Schema for oci_identity_auth_token
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| description | text | The description you assign to the auth token. | |
| id | text | The OCID of the auth token. | |
| inactive_status | bigint | The detailed status of INACTIVE lifecycleState. | |
| lifecycle_state | text | The token's current state. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | Date and time the `AuthToken` object was created. | |
| time_expires | timestamp with time zone | Date and time when this auth token will expire. | |
| title | text | Title of the resource. | |
| token | text | The auth token. The value is available only in the response for `CreateAuthToken`, and not for `ListAuthTokens` or `UpdateAuthToken`. | |
| user_id | text | = | The OCID of the user the auth token belongs to. |
| user_name | text | The name of the user the auth token belongs to. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_identity_auth_token