oci-cli icon indicating copy to clipboard operation
oci-cli copied to clipboard

Published 20 hours ago verified publisher icon oracle

oci iam group create --compartment-id <other than tenancy's default> returns "Tenant id is not equal to compartment id"

Open hecnavsanz opened this issue 2 years ago • 4 comments

Basically my question is ... How to create a group (and a user too) in an identity domain distinct than tenancy's default (root) using the oci-cli ... as you can do using the Web Console?

It seems to be there's no way to specify the --domain-id when creating a group in a domain different than tenancy's default bcz in the command oci iam group create the --compartment-id should be replaced --domain-id (or something like). What I think it does now based on the error message is that --compartment-id must be the same as the tenancy entry in the $HOME/.oci/config file. In fact in the --help command the --compartment-id says "The OCID of the tenancy containing the group. If not provided, this parameter will use the tenancy’s OCID (root compartment’s OCID) from the config file." but I cannot provide other than the tenancy entry in the $HOME/.oci/config file so only lets me create users and groups in the tenancy's default compartment but not in others.

hecnavsanz avatar Dec 23 '22 18:12 hecnavsanz

IAM with identity Domains can be manipulate using IDCS REST API only for non default domain IAM Domains REST - https://docs.oracle.com/en/cloud/paas/iam-domains-rest-api/toc.htm Support for OCI CLI for Identity Domains is in the roadmap.

adizohar avatar Dec 23 '22 22:12 adizohar

@adizohar thanks for the clarification ... I'll check for updates on this in new releases coming.

hecnavsanz avatar Dec 24 '22 13:12 hecnavsanz

@adizohar I'm checking the API ref: https://docs.oracle.com/en-us/iaas/api/#/en/identity/20160918/datatypes/CreateUserDetails and there's no way to specify the identity domain .. again only the compartmentId attr is supported .. I've been trying to provide the domain-id but says "Authorization fa iled or requested resource not found" (as expected).

Also I'm trying just to list a specific compartment using the REST API with this code in python to get a non-root compartment id:

import requests
from oci.config import from_file
from oci.signer import Signer

# read $HOME/.oci/config settings
config = from_file()

# set oci variables (removed "\r" from the end bcz of running script
# in OL8 container which mounts oci config file from Windows)
tenancy_id = config['tenancy'].rstrip()
user_id = config['user'].rstrip()
fingerprint_key = config['fingerprint'].rstrip()
priv_key_file_loc = config['key_file'].rstrip()
region_name = config['region'].rstrip()

# set rest api authentication settings
auth = Signer(
    tenancy=tenancy_id,
    user=user_id,
    fingerprint=fingerprint_key,
    private_key_file_location=priv_key_file_loc
)

# set compartment and user api endpoints
main_endpoint = 'https://identity.' + region_name + '.oci.oraclecloud.com/20160918'
compartment_endpoint = main_endpoint + '/compartments/'

# set cert compartment body (to list)
compartment_body = {
    'compartmentId': tenancy_id,
    'accessLevel': 'ANY',
    'compartmentIdInSubtree': True,
    'name': 'oci-cert',
    'lifecycleState': 'ACTIVE'
}

# get cert compartment id
compartment_response = requests.get(compartment_endpoint, json=compartment_body, auth=auth)
compartment_response.raise_for_status()
print(compartment_response.json())

and I'm getting the error:

Traceback (most recent call last):
  File "/vagrant/labs/oci-python/foundations/lab-01/identity-domain/rest-api/create-identity-domain-user-group-policy.py", line 51, in <module>
    compartment_response.raise_for_status()
  File "/home/oracle/oci-python-sdk-venv/lib/python3.8/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://identity.ca-toronto-1.oci.oraclecloud.com/20160918/compartments/

with this other:

{'code': 'InvalidParameter', 'message': "Invalid parameter 'compartmentId'"}

hecnavsanz avatar Dec 25 '22 13:12 hecnavsanz

The only API that support identity domains is IDCS APIs https://docs.oracle.com/en/cloud/paas/iam-domains-rest-api/toc.htm Support for Identity domains will come in future releases About list compartments, below is example using the python SDK

import oci
config = oci.config.from_file("~/.oci/config", "DEFAULT")
identity_client = oci.identity.IdentityClient(config)
tenant_id = config['tenancy']
compartments = oci.pagination.list_call_get_all_results(
    identity_client.list_compartments,
    compartment_id=tenant_id,
    compartment_id_in_subtree=True,
    lifecycle_state="ACTIVE")
print(compartments.data)

adizohar avatar Dec 25 '22 13:12 adizohar