Interface IAMConfig

IAMConfig is required to authorize operations using Oracle Cloud Infrastructure Identity and Access Management (IAM). It should be set as iam.

See Overview of Oracle Cloud Infrastructure Identity and Access Management for information on IAM components and how they work together to provide security for Oracle Cloud services.

All operations require a request signature that is used by the system to authorize the operation. The request signature may be created in one of the following ways:

  1. Using specific user's indentity. See information below on what credentials are required and how to obtain them, as well as the ways these credentials may be provided to the driver via IAMConfig.
  2. Using Instance Principal. You may use Instance Principal when calling Oracle NoSQL Database Cloud Service from a compute instance in the Oracle Cloud Infrastructure (OCI). See Calling Services from an Instance for more information. Use Instance Principal by setting useInstancePrincipal property to true.
  3. Using Resource Principal. You may use Resource Principal when calling Oracle NoSQL Database Cloud Service from other Oracle Cloud service resource such as Functions. See Accessing Other Oracle Cloud Infrastructure Resources from Running Functions for more information. Use Resouce Principal by setting useResourcePrincipal property to true.
  4. Using Oracle Container Engine for Kubernetes (OKE) workload identity. You may use OKE workload identity when running an application inside Kubernetes cluster. For more information, see Overview of Container Engine for Kubernetes and Granting Workloads Access to OCI Resources.
  5. Using session-token based authentication. This method uses temporary session token read from a token file. The path to the token file and other required credentials are stored in OCI configuration file. For more information see SDK Configuration File and Token-based Authentication for the CLI.

When using specific user's identity, if you don't specify compartment, a default compartment will be used, which is a a root compartment of the user's tenancy. You can also specify compartment, either as compartment property of initial configuration or as part of options for each request. You may specify either compartment OCID or compartment name. If using compartment name, you can also provide it as a prefix to the table name as in compartmentName.tableName.

When using Instance Principal, Resource Principal or OKE workload identity, there is no default compartment, so you must specify compartiment id (OCID), either as compartment property of the initial configuration or as part of options for each request. Note that you must use compartment id (OCID) and not compartment name. This also means that you may not prefix table name with compartment name when calling methods of NoSQLClient. The only exception to this is when using Resource Principal together with useResourcePrincipalCompartment property, in which case the resource compartment itself will be used.

To use specific user's identity, you must provide the following credentials:

  • Tenancy OCID. This is Oracle Cloud ID (OCID) for your tenancy. See Resource Identifiers for information on OCIDs.
  • User's OCID. This is Oracle Cloud ID (OCID) for the user in your tenancy. See Resource Identifiers for information on OCIDs.
  • API Signing Key. This is public-private key pair used to sign the API requests, see Required Keys and OCIDs. In particular, private key is needed to generate the request signature.
  • Public Key Fingerprint. This is an identifier of the public key of the API Signing Key pair.
  • Passphrase for the private key of API Signing Key pair if the private key is encrypted.

See Required Keys and OCIDs for detailed description of the above credentials and the steps you need to perform to enable signing of API requests, which are:

  • Generate the key pair described above.
  • Upload public key.
  • Obtain tenancy and user OCIDs and public key fingerprint.

You may provide these credentials in one of the following ways, in order of increased security:

Note that the private key must be in PEM format. You may provide a path to the PEM key file. Alternatively, except when using OCI configuration file, you may provide PEM encoded private key directly as Buffer or string. Note that the passphrase must be provided if the private key is encrypted.

The driver will determine the method of authorization as follows:

  1. If useResourcePrincipal is set to true, then Resource Principal authentication will be used.
  2. If useInstancePrincipal is set to true, then Instance Principal authentication will be used. You may also set federationEndpoint, although it is not requred and in most cases federation endpoint will be auto-detected.
  3. If useOKEWorkloadIdentity is set to true, then Container Engine for Kubernetes (OKE) authentication will be used. Optionally, you may also provide service account token by setting one of 3 properties serviceAccountToken, serviceAccountTokenFile or serviceAccountTokenProvider.
  4. If useSessionToken is set to true, then session token-based authentication will be used. Note that this method uses OCI config file, so settings to properties configFile and profileName also apply. See useSessionToken for more information.
  5. If IAMConfig has any of user identity properties such as tenantId, userId, privateKey, fingerprint or passphrase, the driver assumes that you are using a specific user's identity and that the credentials are provided directly in IAMConfig. All required user's credentials, as described above, must be present as properties of IAMConfig, otherwise NoSQLArgumentError will result.
  6. If IAMConfig has credentialsProvider property, the driver assumes that you are using a specific user's identity and the credentials are obtained through the credentials provider which must be in the form of IAMCredentialsProvider. In this case the credentials must not be set directly in IAMConfig.
  7. If none of the above, the driver assumes that you are using a specific user's identity and the credentials are stored in OCI config file and will use configFile and profileName properties if present, otherwise it will assume their default values. In particular, if you specify serviceType as CLOUD and omit auth alltogether, the driver will use IAM authorization with default OCI config file and default profile name.

Note that if using an OCI configuration file, you may also specify region identifier in the same profile as your credentials. In this case, you need not specify either region or endpoint in Config. In particular, if you use the default OCI config file (~/.oci/config) and default profile name (DEFAULT) and do not need to customize any other configuration properties, you may create NoSQLClient instance without providing configuration to NoSQLClient constructor. See NoSQLClient for more information.

If using Resource Principal, you also need not specify either region or endpoint in Config, as Resource Principal's region will be used. In fact, when running in Functions service, you may only access NoSQL service in the same region as the running function, so when using Resource Principal, it is preferable not to specify either region or endpoint in Config.

Generated authorization signature is valid for a period of time and is cached for effeciency. The caching behavior may be customized with properties durationSeconds and refreshAheadMs. See their property descriptions for details.

See

Example

JSON Config object supplying user's credentials directly (sensitiveinfo not shown).

{
    "region": "us-phoenix-1",
    "auth": {
        "iam": {
            "tenantId": "ocid1.tenancy.oc...................",
            "userId": "ocid1.user.oc.....................",
            "fingerprint": "aa:aa:aa:aa:.....",
            "privateKeyFile": "~/myapp/security/oci_api_key.pem",
            "passphrase": "..............."
        }
    }
}

Example

JSON Config object supplying user's credentials through OCI configuration file.

{
    "region": "us-phoenix-1",
    "auth": {
        "iam": {
            "configFile": "~/myapp/.oci/config",
            "profileName": "John"
        }
    }
}

Example

Javascript Config object supplying user's credentials via custom credentials provider.

{
    region: "us-phoenix-1",
    auth: {
        iam: {
            credentialsProvider: async () => {
                .......... //retrieve credentials somehow
                ..........
                return {
                    tenantId: myTenantId,
                    userId: myUserId,
                    fingerprint: myFingerprint,
                    privateKey: myPrivateKey,
                    passphrase: myPassphrase
                };
            }
        }
    }
}

Example

JSON Config object using Instance Principal.

{
    "region": "us-phoenix-1",
    "compartment": "ocid1.compartment.oc1.............................",
    "auth": {
        "iam": {
            "useInstancePrincipal": "true"
        }
    }
}

Example

Javascript Config object when using Resource Principal

{
    compartment: "ocid1.compartment.oc1.............................",
    auth: {
        iam: {
            useResourcePrincipal: true
        }
    }
}

Example

Javascript Config object when using Resource Principal with useResourcePrincipalCompartment property. 

{
    auth: {
        iam: {
            useResourcePrincipal: true,
            useResourcePrincipalCompartment: true
        }
    }
}

Example

Javascript Config object when using OKE workload identity. 

{
    compartment: "ocid1.compartment.oc1.............................",
    auth: {
        iam: {
            useOKEWorkloadIdentity: true
        }
    }
}

Example

JSON Config object when using OKE workload identity and supplying the location of service account token.

{
    "compartment": "ocid1.compartment.oc1.............................",
    "auth": {
        "iam": {
            "useOKEWorkloadIdentity": true,
            "serviceAccountTokenFile": "~/myapp/serviceaccount/token"
        }
    }
}

Example

JSON Config object when using session token-based authentication.

{
    "region": "us-phoenix-1",
    "compartment": "ocid1.compartment.oc1.............................",
    "auth": {
        "iam": {
            "useSessionToken": true,
            "configFile": "~/myapp/.oci/config",
            "profileName": "John"
        }
    }
}

Hierarchy

Properties

configFile? credentialsProvider? delegationToken? delegationTokenFile? delegationTokenProvider? durationSeconds? federationEndpoint? fingerprint? passphrase? privateKey? privateKeyFile? profileName? refreshAheadMs? serviceAccountToken? serviceAccountTokenFile? serviceAccountTokenProvider? tenantId? timeout? useInstancePrincipal? useOKEWorkloadIdentity? useResourcePrincipal? useResourcePrincipalCompartment? useSessionToken? userId?

Properties

Optional configFile

configFile?: string | Buffer

OCI configuration file path. May be absolute or relative to current directory. May be string or UTF-8 encoded Buffer.

Default Value

Path "~/.oci/config", where "~" represents user's home directory on Unix systems and %USERPROFILE% directory on Windows (see USERPROFILE environment variable).

Optional credentialsProvider

credentialsProvider?: string | IAMCredentialsProvider | (() => Promise<IAMCredentials>)

Custom credentials provider to use to obtain credentials in the form of IAMCredentials. You may also specify string for a module name or path that exports IAMCredentialsProvider.

See

IAMCredentialsProvider

Optional delegationToken

delegationToken?: string

Used only with instance principal (see useInstancePrincipal). The delegation token allows the instance to assume the privileges of the user for which the token was created and act on behalf of that user. Use this property to specify the value of the delegation token directly. Otherwise, to use a provider interface or obtain a token from a file, use delegationTokenProvider and delegationTokenFile properties. This property is exclusive with delegationTokenProvider and delegationTokenFile.

Optional delegationTokenFile

delegationTokenFile?: string

Used only with instance principal (see useInstancePrincipal). The delegation token allows the instance to assume the privileges of the user for which the token was created and act on behalf of that user. This property specifies a file path (absolute or relative) to load the delegation token from. The delegation token will be reloaded from the file each time the authorization signature is refreshed. This property is exclusive with delegationToken and delegationTokenFile.

Optional delegationTokenProvider

delegationTokenProvider?: string | DelegationTokenProvider | (() => Promise<string>)

Used only with instance principal (see useInstancePrincipal). The delegation token allows the instance to assume the privileges of the user for which the token was created and act on behalf of that user. This propertiy specifies DelegationTokenProvider as a custom provider used to load the delegation token. The delegation token will be reloaded each time the authorization signature is refreshed. If specified as a string, this property is equivalent to delegationTokenFile. This property is exclusive with delegationToken and delegationTokenFile.

Optional durationSeconds

durationSeconds?: number

Cache duration of the signature in seconds. Specifies how long cached signature may be used before new one has to be created. Maximum allowed duration is 5 minutes (300 seconds), which is also the default.

Default Value

300 (5 minutes)

Optional federationEndpoint

federationEndpoint?: string | URL

When using Instance Principal, specifies endpoint to use to communicate with authorization server. Usually this does not need to be specified as the driver will detect the federation endpoint automatically. Specify this if you need to override the default federation endpoint. The endpoint must be in the form https://auth.{region-identifier}.{second-level-domain}, e.g. https://auth.ap-hyderabad-1.oraclecloud.com.

Optional fingerprint

fingerprint?: string

Public key fingerprint.

Optional passphrase

passphrase?: string | Buffer

Passphrase for the private key if it is encrypted. If specified as Buffer, you may clear the buffer contents after NoSQLClient instance is created for added security.

Optional privateKey

privateKey?: string | Buffer

PEM-encoded private key data. If specified as Buffer, you may clear the buffer contents afer NoSQLClient instance is created for added security. Note that only one of privateKey or privateKeyFile properties may be specified.

Optional privateKeyFile

privateKeyFile?: string | Buffer

Path to PEM private key file. Path may be absolute or relative to current directory. May be string or UTF-8 encoded Buffer. Note that only one of privateKey or privateKeyFile properties may be specified.

Optional profileName

profileName?: string

Profile name within the OCI configuration file, used only if credentials are obtained from the configuration file as described.

Default Value

If not set, the name "DEFAULT" is used.

Optional refreshAheadMs

refreshAheadMs?: null | number

Tells the driver when to automatically refresh the signature before its expiration in the cache, measured in number of milliseconds before expiration. E.g. value 10000 means that the driver will attempt to refresh the signature 10 seconds before its expiration. Using refresh allows to avoid slowing down of database operations by creating the signature asynchronously. You can set this property to null to disable automatic refresh.

Default Value

10000 (10 seconds)

Optional serviceAccountToken

serviceAccountToken?: string

Used only with OKE workload identity (see useOKEWorkloadIdentity). Use this property to provide service account token string. This property is exclusive with serviceAccountTokenFile and serviceAccountTokenProvider.

See

useOKEWorkloadIdentity

Optional serviceAccountTokenFile

serviceAccountTokenFile?: string

Used only with OKE workload identity (see useOKEWorkloadIdentity). Use this property to provide a path to service account token file. Service account token will be reloaded from this file when refreshing OKE security token. This property is exclusive with serviceAccountToken and serviceAccountTokenProvider.

See

useOKEWorkloadIdentity

Optional serviceAccountTokenProvider

serviceAccountTokenProvider?: ServiceAccountTokenProvider | (() => Promise<string>)

Used only with OKE workload identity (see useOKEWorkloadIdentity). This propertiy specifies ServiceAccountTokenProvider as a custom provider used to load the service account token. Service account token will be reloaded when refreshing OKE security token. This property is exclusive with serviceAccountToken and serviceAccountTokenFile.

See

useOKEWorkloadIdentity

Optional tenantId

tenantId?: string

Tenancy OCID.

Optional timeout

timeout?: number

Timeout in milliseconds used for requests to the authorization server. Currently this is only used with Instance Principal and OKE workload identity.

Default Value

120000 (2 minutes)

Optional useInstancePrincipal

useInstancePrincipal?: boolean

If set to true, Instance Principal authorization will be used. May not be combined with useResourcePrincipal or any properties used for specific user's identity.

Optional useOKEWorkloadIdentity

useOKEWorkloadIdentity?: boolean

If set to true, will use authorization for Oracle Container Engine for Kubernetes (OKE) workload identity. This authorization scheme can only be used inside Kubernetes pods.

For information on Container Engine for Kubernetes, see Overview of Container Engine for Kubernetes. Also see Granting Workloads Access to OCI Resources for more details on OKE workload identity.

This property may not be combined with useInstancePrincipal, useResourcePrincipal, useSessionToken or any properties used for specific user's identity.

Using OKE workload identity requires service account token. By default, the provider will load service account token from the default file path /var/run/secrets/kubernetes.io/serviceaccount/token. You may override this and provide your own service account token by specifying one of 3 properties:

Optional useResourcePrincipal

useResourcePrincipal?: boolean

If set to true, Resource Principal authorization will be used. May not be combined with useInstancePrincipal or any properties used for specific user's identity.

Optional useResourcePrincipalCompartment

useResourcePrincipalCompartment?: boolean

Only valid when using Resource Principal. If set to true, and compartment id is not specified in the configuration or as a part of operation options, the driver will use the compartment of the resource, obtained from the resource principal session token, as the default compartment for NoSQL database operations. This property is useful, e.g. if you want your NoSQL database tables to reside in the same compartment as your OCI function.

Optional useSessionToken

useSessionToken?: boolean

If set to true, Session Token-Based Authentication will be used. This method uses temporary session token read from a token file. The path of the token file is read from a profile in OCI configuration file as the value of field security_token_file. See SDK Configuration File for details of the file's contents and format. In addition, see the description of IAMConfig above.

Because this method uses OCI Configuration File, you may use the properties configFile and profileName to specify the path to the configuration file and the profile name within the configuration file. The same defaults apply.

For session token-based authentication, the properties required in the OCI config file by the driver are tenancy for tenant OCID, security_token_file for security token file and key_file for private key file. You may also specify pass_phrase property for private key passphrase as well as region property (instead of specifying region property in the Config as previously described).

You can use the OCI CLI to authenticate and create a token, see Token-based Authentication for the CLI.

Optional userId

userId?: string

User OCID.

Settings

Member Visibility

Theme

Generated using TypeDoc