oraclecloud-install-auth
'Install and configure Oracle Cloud Infrastructure (OCI) SDK and CLI
Allowed Tools
Provided by Plugin
oraclecloud-pack
Claude Code skill pack for Oracle Cloud (24 skills)
Installation
This skill is included in the oraclecloud-pack plugin:
/plugin install oraclecloud-pack@claude-code-plugins-plusClick to copy
Instructions
Oracle Cloud Install & Auth
Overview
Configure API key authentication for Oracle Cloud Infrastructure (OCI). OCI auth requires a ~/.oci/config file with five mandatory fields — user OCID, fingerprint, tenancy OCID, region, and the path to an RSA private key. One wrong field produces the cryptic ConfigFileNotFound or InvalidKeyFilePath error with no hint about which field failed.
Purpose: Produce a validated ~/.oci/config file, generate an RSA key pair, upload the public key to OCI, and verify connectivity with both the Python SDK and OCI CLI.
Prerequisites
- OCI account with an active tenancy — sign up at https://cloud.oracle.com
- Python 3.8+ (the OCI Python SDK is the most mature SDK)
- OpenSSL installed (for RSA key generation)
- Your user OCID (Profile > User Settings in the OCI Console) — format:
ocid1.user.oc1..aaaa... - Your tenancy OCID (Administration > Tenancy Details) — format:
ocid1.tenancy.oc1..aaaa... - Your home region (e.g.,
us-ashburn-1,eu-frankfurt-1)
Instructions
Step 1: Install the OCI Python SDK and CLI
pip install oci oci-cli
Step 2: Generate an RSA Key Pair
mkdir -p ~/.oci
openssl genrsa -out ~/.oci/oci_api_key.pem 2048
chmod 600 ~/.oci/oci_api_key.pem
openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
Step 3: Get the Key Fingerprint
openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c
# Output: ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90
Step 4: Upload Public Key to OCI Console
Navigate to: Profile (top-right) > User Settings > API Keys > Add API Key > Paste Public Key
Paste the contents of ~/.oci/ociapikey_public.pem. The console shows the fingerprint — it must match Step 3.
Step 5: Create the Config File
cat > ~/.oci/config << 'EOF'
[DEFAULT]
user=ocid1.user.oc1..aaaa_YOUR_USER_OCID
fingerprint=ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90
tenancy=ocid1.tenancy.oc1..aaaa_YOUR_TENANCY_OCID
region=us-ashburn-1
key_file=~/.oci/oci_api_key.pem
EOF
chmod 600 ~/.oci/config
All five fields are required. The key_file must point to the private key (not the public .pem).
Step 6: Verify with the Python SDK
import oci
config = oci.config.from_file("~/.oci/config")
oci.config.validate_config(config)
identity = oci.identity.IdentityClient(config)
user = identity.get_user(config["user"]).data
print(f"Authenticated as: {user.name} ({user.email})")
print(f"Tenancy: {config['tenancy']}")
print(f"Region: {config['region']}")
Step 7: Verify with the OCI CLI
oci iam user get --user-id "$(grep ^user ~/.oci/config | cut -d= -f2)" \
--query 'data.name' --raw-output
Step 8: Config Validation Script
Save this as validateociconfig.py to catch common misconfigurations:
import oci
import os
def validate():
"""Validate OCI config file and key access."""
config_path = os.path.expanduser("~/.oci/config")
if not os.path.exists(config_path):
raise FileNotFoundError(f"Config not found: {config_path}")
config = oci.config.from_file(config_path)
oci.config.validate_config(config)
key_path = os.path.expanduser(config.get("key_file", ""))
if not os.path.exists(key_path):
raise FileNotFoundError(f"Private key not found: {key_path}")
perms = oct(os.stat(key_path).st_mode)[-3:]
if perms != "600":
print(f"WARNING: Key file permissions are {perms}, should be 600")
identity = oci.identity.IdentityClient(config)
identity.get_user(config["user"])
print("Config is valid. Authentication successful.")
validate()
Output
Successful completion produces:
- An RSA key pair at
~/.oci/ociapikey.pem(private) and~/.oci/ociapikey_public.pem(public) - A validated
~/.oci/configwith all five required fields - The public key uploaded to your OCI user profile with a matching fingerprint
- Confirmed API connectivity via either the Python SDK or OCI CLI
Error Handling
| Error | Code | Cause | Solution | |
|---|---|---|---|---|
| NotAuthenticated | 401 | Wrong fingerprint or key mismatch | Verify fingerprint matches: `openssl rsa -pubout -outform DER -in ~/.oci/ociapikey.pem \ | openssl md5 -c` |
| ConfigFileNotFound | — | Missing ~/.oci/config |
Run oci setup config or create manually per Step 5 |
|
| InvalidKeyFilePath | — | key_file points to wrong path or public key |
Ensure keyfile=~/.oci/ociapikey.pem (private key, no public) |
|
| InvalidPrivateKey | — | Key file is the public key, not private | The private key starts with -----BEGIN RSA PRIVATE KEY----- |
|
| NotAuthorizedOrNotFound | 404 | User OCID is wrong or IAM policy missing | Double-check user OCID in Console > Profile > User Settings | |
| CERTIFICATEVERIFYFAILED | — | SSL cert issue behind corporate proxy | Set OCIPYTHONSDKNOSERVICE_IMPORTS=1 or install certifi |
Examples
Quick auth test with curl (no SDK needed):
# Verify the OCI CLI can reach the API
oci iam region list --output table
Multiple profiles for dev/staging/prod:
# ~/.oci/config
[DEFAULT]
user=ocid1.user.oc1..aaaa_PROD_USER
tenancy=ocid1.tenancy.oc1..aaaa_PROD
region=us-ashburn-1
fingerprint=ab:cd:...
key_file=~/.oci/oci_api_key.pem
[STAGING]
user=ocid1.user.oc1..aaaa_STAGING_USER
tenancy=ocid1.tenancy.oc1..aaaa_STAGING
region=us-phoenix-1
fingerprint=12:34:...
key_file=~/.oci/oci_api_key_staging.pem
# Load a specific profile
config = oci.config.from_file("~/.oci/config", profile_name="STAGING")
Resources
- OCI API Key Authentication — key generation and config file format
- OCI Python SDK Reference — full API documentation
- OCI CLI Reference — command-line interface guide
- SDK Troubleshooting — common auth and connectivity issues
- OCI Console — web dashboard for key upload and OCID lookup
- Always Free Tier — free OCI resources for development
Next Steps
After authentication is working, proceed to oraclecloud-hello-world to launch your first compute instance, or see oraclecloud-common-errors if you hit authentication issues.