This section documents the use of instance_principal for admin purposes in the project.
instance_principal is an IAM service feature that enables instances to be authorized actors (or principals) to perform actions on service resources. Each compute instance has its own identity, and it authenticates using the certificates that are added to it. These certificates are automatically created, assigned to instances and rotated, preventing the need for you to distribute credentials to your hosts and rotate them.
Any user who has access to the instance (who can SSH to the instance), automatically inherits the privileges granted to the instance. Before you enable this feature, ensure that you know who can access it, and that they should be authorized with the permissions you are granting to the instance.
By default, this feature is disabled.
After you enable this feature, the operator host has privileges to manage all resources in the compartment.
You can also turn on and off the feature at any time without impact on the operator host.
To enable, set enable_instance_principal in oci_base_operator to true:
oci_base_operator = {
....
enable_instance_principal = true
....
}and verify:
oci network vcn list --compartment-id <compartment-ocid>You should be able to see a list of VCNs created in the compartment.
To disable, set enable_instance_principal in oci_base_operator to false:
oci_base_operator = {
....
enable_instance_principal = false
....
}-
Run terraform apply again:
terraform apply-
Do not enable instance_principal if you are not using it
-
Enable instance_principal if and only if you are using the operator host to execute oci commands e.g. modifying dynamic groups, changing policies
-
Disable instance_principal once the oci operation is done