Oracle Cloud Install & Auth

Overview

Configure API key authentication for Oracle Cloud Infrastructure (OCI). OCI auth requires a ~/.oci/config file with five mandatory fields — user OCID, fingerprint, tenancy OCID, region, and the path to an RSA private key. One wrong field produces the cryptic ConfigFileNotFound or InvalidKeyFilePath error with no hint about which field failed.

Purpose: Produce a validated ~/.oci/config file, generate an RSA key pair, upload the public key to OCI, and verify connectivity with both the Python SDK and OCI CLI.

Prerequisites

• OCI account with an active tenancy — sign up at https://cloud.oracle.com
• Python 3.8+ (the OCI Python SDK is the most mature SDK)
• OpenSSL installed (for RSA key generation)
• Your user OCID (Profile > User Settings in the OCI Console) — format: ocid1.user.oc1..aaaa...
• Your tenancy OCID (Administration > Tenancy Details) — format: ocid1.tenancy.oc1..aaaa...
• Your home region (e.g., us-ashburn-1, eu-frankfurt-1)

Instructions

Step 1: Install the OCI Python SDK and CLI

pip install oci oci-cli

Step 2: Generate an RSA Key Pair

mkdir -p ~/.oci
openssl genrsa -out ~/.oci/oci_api_key.pem 2048
chmod 600 ~/.oci/oci_api_key.pem
openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

Step 3: Get the Key Fingerprint

openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c
# Output: ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90

Step 4: Upload Public Key to OCI Console

Navigate to: Profile (top-right) > User Settings > API Keys > Add API Key > Paste Public Key

Paste the contents of ~/.oci/oci_api_key_public.pem. The console shows the fingerprint — it must match Step 3.

Step 5: Create the Config File

cat > ~/.oci/config << 'EOF'
[DEFAULT]
user=ocid1.user.oc1..aaaa_YOUR_USER_OCID
fingerprint=ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90
tenancy=ocid1.tenancy.oc1..aaaa_YOUR_TENANCY_OCID
region=us-ashburn-1
key_file=~/.oci/oci_api_key.pem
EOF
chmod 600 ~/.oci/config

All five fields are required. The key_file must point to the private key (not the public .pem).

Step 6: Verify with the Python SDK

import oci

config = oci.config.from_file("~/.oci/config")
oci.config.validate_config(config)

identity = oci.identity.IdentityClient(config)
user = identity.get_user(config["user"]).data
print(f"Authenticated as: {user.name} ({user.email})")
print(f"Tenancy: {config['tenancy']}")
print(f"Region: {config['region']}")

Step 7: Verify with the OCI CLI

oci iam user get --user-id "$(grep ^user ~/.oci/config | cut -d= -f2)" \
  --query 'data.name' --raw-output

Step 8: Config Validation Script

Save this as validate_oci_config.py to catch common misconfigurations:

import oci
import os

def validate():
    """Validate OCI config file and key access."""
    config_path = os.path.expanduser("~/.oci/config")
    if not os.path.exists(config_path):
        raise FileNotFoundError(f"Config not found: {config_path}")

    config = oci.config.from_file(config_path)
    oci.config.validate_config(config)

    key_path = os.path.expanduser(config.get("key_file", ""))
    if not os.path.exists(key_path):
        raise FileNotFoundError(f"Private key not found: {key_path}")

    perms = oct(os.stat(key_path).st_mode)[-3:]
    if perms != "600":
        print(f"WARNING: Key file permissions are {perms}, should be 600")

    identity = oci.identity.IdentityClient(config)
    identity.get_user(config["user"])
    print("Config is valid. Authentication successful.")

validate()

Output

Successful completion produces:

• An RSA key pair at ~/.oci/oci_api_key.pem (private) and ~/.oci/oci_api_key_public.pem (public)
• A validated ~/.oci/config with all five required fields
• The public key uploaded to your OCI user profile with a matching fingerprint
• Confirmed API connectivity via either the Python SDK or OCI CLI

Error Handling

Examples

Quick auth test with curl (no SDK needed):

# Verify the OCI CLI can reach the API
oci iam region list --output table

Multiple profiles for dev/staging/prod:

# ~/.oci/config
[DEFAULT]
user=ocid1.user.oc1..aaaa_PROD_USER
tenancy=ocid1.tenancy.oc1..aaaa_PROD
region=us-ashburn-1
fingerprint=ab:cd:...
key_file=~/.oci/oci_api_key.pem

[STAGING]
user=ocid1.user.oc1..aaaa_STAGING_USER
tenancy=ocid1.tenancy.oc1..aaaa_STAGING
region=us-phoenix-1
fingerprint=12:34:...
key_file=~/.oci/oci_api_key_staging.pem

# Load a specific profile
config = oci.config.from_file("~/.oci/config", profile_name="STAGING")

Resources

• OCI API Key Authentication — key generation and config file format
• OCI Python SDK Reference — full API documentation
• OCI CLI Reference — command-line interface guide
• SDK Troubleshooting — common auth and connectivity issues
• OCI Console — web dashboard for key upload and OCID lookup
• Always Free Tier — free OCI resources for development

Next Steps

After authentication is working, proceed to oraclecloud-hello-world to launch your first compute instance, or see oraclecloud-common-errors if you hit authentication issues.