oci-cli icon indicating copy to clipboard operation
oci-cli copied to clipboard

Published 20 hours ago verified publisher icon oracle

"oci session authenticate" user experience is confusing

Open forana opened this issue 3 years ago • 9 comments

I followed these instructions: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

I authenticated successfully, and oci session validate succeeds. However, any API interaction results in the error:

ERROR: The config file at ~/.oci/config is invalid:

+Config Errors---+----------------------------------------------------------------------------+
| Key  | Error   | Hint                                                                       |
+------+---------+----------------------------------------------------------------------------+
| user | missing | log into the console and go to the user's settings page to find their OCID |
+------+---------+----------------------------------------------------------------------------+

The user key is indeed missing from ~/.oci/config. Running oci session refresh did not add it.

There are a total of two google results for this error, and neither were useful - opened this issue to hopefully get this resolved, and add a google result for anyone else who hit this. After figuring out how to find my OCID from the console and adding it manually to ~/.oci/config, then trying an API interaction, I got a new error message:

WARNING: The active profile contains a value for 'security_token_file' which is not being used. To authenticate using the token, specify --auth security_token

This showed me that I had misunderstood the instructions at the bottom, where the --auth security_token parameter was mentioned as necessary for all CLI interactions using this auth. This was a confusing experience because page reads like two alternatives - authenticating with a browser and without. I chose the former, and proceeded to the next page of instructions - missing that critical step.

Several suggestions for resolving this:

  1. Make it extremely clear in the docs that that parameter is required.
  2. For that error message case, if security_token_file is present in the profile, include an additional (did you forgot to pass '--auth security_token'?) message (or something like that).
  3. Add a configuration option that has the same effect as --auth security_token, and set that when a profile is created using oci session validate.

forana avatar Oct 12 '21 14:10 forana

I'm struggling with the same. When running oci session authenticate, configured profile doesn't create user user = ocid1.user.oc1..aaaXXX I wanted to use OCI session only once for creating API Key for the same user in pragmatic way. Without this field I don't know about user OCID and --user-id argument can't be provided automatically for the

oci --config-file ~/.oci/sso-config --profile SSO --auth security_token iam user api-key upload --user-id <MISSING ID> --key-file ~/.oci/id_rsa.pub

Is it possible to add this user OCID during session authenticate?

zalewma avatar Nov 16 '21 16:11 zalewma

I have been suffering from the exact same experience, my workaround is to use oci setup config and forget about oci session

davidkhala avatar May 11 '22 03:05 davidkhala

When you run: "oci session authenticate" it shows you an example about how to run a command using --auth security_token and correct profile.

doc has "Validating a Token" https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm oci session validate --config-file <path_to_config_file> --profile <profile_name> --auth security_token

which also mentions --auth security_token.

session based auth doesn't need user ocid.

harshkumar-dev avatar Jun 02 '22 15:06 harshkumar-dev

to add on to what @harshkumar-dev, you can also set an environment variable (@forana maybe put it in your ~/.bashrc)

export OCI_CLI_AUTH=security_token

It would be really nice if oci session authenticate would just write authentication_type=security_token in the profile in ~/.oci/config when it is writing security_token_file and all the other things that only work for auth type security_token.

but unfortunately the oci python sdk doesn't support authentication_type of security_token in the config https://github.com/oracle/oci-python-sdk/blob/60f042354caef47ce0008b9969962ff3481d91c1/src/oci/util.py#L29-L33 https://github.com/oracle/oci-python-sdk/blob/60f042354caef47ce0008b9969962ff3481d91c1/src/oci/util.py#L212-L224

b-dean avatar Sep 07 '22 16:09 b-dean

Also it doesn't seem to honor --token-location arg just at all. I have several versions of OCI CLI and python, and am trying to scope all the work dedicated to a specific env within a dedicated folder (via pyenv-virtualenv, direnv, etc.) - I'm not able to do this as every time I'm running oci session authenticate it creates ~/.oci and drops tokens there. It also doesn't seem to honor OCI_CLI_CONFIG_FILE env var, but at least --config-location arg works. Tried this with oci cli version 3.30.1 today.

romkhub avatar Aug 03 '23 18:08 romkhub