Security Credentials

This section describes the types of credentials you'll use when working with Oracle Cloud Infrastructure.

Console Password

  • What it's for: Using the Console.
  • Format: Typical password text string.
  • How to get one: An administrator will provide you with a one-time password.
  • How to use it: Sign in to the Console the first time with the one-time password, and then change it when prompted. Requirements for the password are displayed there. The one-time password expires in seven days. If you want to change the password later, see To change your Console password. Also, you or an administrator can reset the password in the Console or with the API (see To create or reset another user's Console password). Resetting the password creates a new one-time password that you'll be prompted to change the next time you sign in to the Console. If you're blocked from signing in to the Console because you've tried 10 times in a row unsuccessfully, contact your administrator.
  • Note for Federated Users: Federated users do not use a Console password. Instead, they sign in to the Console through their identity provider.

API Signing Key

  • What it's for: Using the API (see Software Development Kits and Command Line Interface and Request Signatures).
  • Format: RSA key pair in PEM format (minimum 2048 bits required).
  • How to get one: You can use the Console to generate the private/public key pair for you, or you can generate your own. See Required Keys and OCIDs.
  • How to use it: Use the private key with the SDK or with your own client to sign your API requests. Note that after you've added your first API key in the Console, you can use the API to upload any additional ones you want to use. If you provide the wrong kind of key (for example, your instance SSH key, or a key that isn't at least 2048 bits), you'll get an InvalidKey error.
  • Example: The PEM public key looks something like this:
    -----BEGIN PUBLIC KEY-----
    
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoTFqF...
    ...
    		
    -----END PUBLIC KEY——

Instance SSH Key

  • What it's for: Accessing a compute instance.
  • Format: For platform images, these SSH key types are supported: RSA, DSA, DSS, ECDSA, and Ed25519. If you bring your own image, you're responsible for managing the SSH key types that are supported.

    For RSA, DSS, and DSA keys, a minimum of 2048 bits is recommended. For ECDSA keys, a minimum of 256 bits is recommended.

  • How to get one: See Managing Key Pairs on Linux Instances. Optionally, you can use a key pair that is generated by Oracle Cloud Infrastructure when you create an instance in the Console.
  • How to use it: When you launch an instance, provide the public key from the key pair.
  • Example:

    A public key has the following format:

    <key_type> <public_key> <optional_comment>

    For example, an RSA public key looks like this:

    ssh-rsa AAAAB3BzaC1yc2EAAAADAQABAAABAQD9BRwrUiLDki6P0+jZhwsjS2muM...
    
    ...yXDus/5DQ== rsa-key-20201202

Auth Token

  • What it's for: Authenticating with third-party APIs that do not support Oracle Cloud Infrastructure's signature-based authentication. For example, use an auth token as your password with Swift clients.
  • Format: Typical password text string.
  • How to get one: See Working with Console Passwords and API Keys.
  • How to use it: Usage depends on the service your are authenticating with. Typically, you authenticate with third-party APIs by providing your Oracle Cloud Infrastructure Console login, your auth token provided by Oracle, and your organization's Oracle tenant name.