OCI in powershell 7 show erros of file permissions

[giovannicandido]

Running any command with oci in powershell 7.3.3 the follow warning appears:

WARNING: Permissions on C:\Users\giova\.oci\config are too open.
The following users  / groups have permissions to the file and should not: Get-Acl : The 'Get-Acl' command was found in the module 'Microsoft.PowerShell.Security', but the module could not be, loaded. For more information, run 'Import-Module Microsoft.PowerShell.Security'., At line:1 char:37, + $ex_perms=@();$defaults=@();$macls=(Get-Acl "C:\Users\giova\.oci\conf ..., +                                     ~~~~~~~, + CategoryInfo          : ObjectNotFound: (Get-Acl:String) [], CommandNotFoundException, + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule.
To fix this please try executing the following command:
oci setup repair-file-permissions --file C:\Users\giova\.oci\config
Alternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow:
SET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING="True"

WARNING: Permissions on C:\Users\giova\.oci\config are too open.
The following users  / groups have permissions to the file and should not: Get-Acl : The 'Get-Acl' command was found in the module 'Microsoft.PowerShell.Security', but the module could not be, loaded. For more information, run 'Import-Module Microsoft.PowerShell.Security'., At line:1 char:37, + $ex_perms=@();$defaults=@();$macls=(Get-Acl "C:\Users\giova\.oci\conf ..., +                                     ~~~~~~~, + CategoryInfo          : ObjectNotFound: (Get-Acl:String) [], CommandNotFoundException, + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule.
To fix this please try executing the following command:
oci setup repair-file-permissions --file C:\Users\giova\.oci\config
Alternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow:
SET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING="True"

WARNING: Permissions on C:\Users\giova\.oci\oci_api_key-nopass.pem are too open.
The following users  / groups have permissions to the file and should not: Get-Acl : The 'Get-Acl' command was found in the module 'Microsoft.PowerShell.Security', but the module could not be, loaded. For more information, run 'Import-Module Microsoft.PowerShell.Security'., At line:1 char:37, + $ex_perms=@();$defaults=@();$macls=(Get-Acl "C:\Users\giova\.oci\oci_ ..., +                                     ~~~~~~~, + CategoryInfo          : ObjectNotFound: (Get-Acl:String) [], CommandNotFoundException, + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule.
To fix this please try executing the following command:

Running the command oci setup repair-file-permissions --file C:\Users\giova.oci\config has no effect.

I think the problem is the module Microsoft.Powershell.Security not being loaded then the command fails and oci thinks the file permissions are open when they are not.

Running the command on the old powershell 5 works.

[Sarkie]

Anyone looking into this?

[github-anurag]

Hi @giovannicandido @Sarkie Thanks for reporting this issue. We will have someone look into this and get back to you. Just to confirm does this issue show up with only Powershell version 7.3.3? Or do you see this issue with other Powershell 7.x.x versions as well? Currently, we only claim support for Powershell version 6.0 and 7.1 as per https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/powershell.htm#powershellsdk_topic_SupportedPowerShellVersions

[github-anurag]

@Sarkie @giovannicandido I can't reproduce the issue. I am using pwsh 7.3.9 on mac.

PS /Users/anurggar> Get-InstalledModule

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
70.0.0               OCI.PSModules.Common                PSGallery            OCI Common module exports Cmdlets that manages features offered by OCI Modules for Powershell like History Store, OC…
70.0.0               OCI.PSModules.Identity              PSGallery            This modules provides Cmdlets for OCI Identity Service

PS /Users/anurggar> Get-OCIIdentityTenancy -TenancyId ocid1.tenancy.oc1..<tenancy-ocid>
Id                                : ocid1.tenancy.oc1..<tenancy-ocid>
Name                              : abcde
Description                       : abcde
HomeRegionKey                     : PHX
UpiIdcsCompatibilityLayerEndpoint : https://idcs-cloudinfra.upi.identity.us-phoenix-1.oci.oraclecloud.com/sm/v1/Tenants/idcs-fa88f1cbea814ffea41c1c391bf1d772
FreeformTags                      : {}
DefinedTags                       : {[OracleInternalReserved, System.Collections.Generic.Dictionary`2[System.String,System.Object]]}


PS /Users/anurggar> %
❯ ls -lrt ~/.oci/config
-rw-------  1 anurggar  staff  2728 Oct 18 10:18 /Users/anurggar/.oci/config
❯ pwsh
PowerShell 7.3.9

When you run the commands do you get the result back? If you get the response back and the issue is that you see these warnings then can you try suppressing them as suggested in the warning message?

[giovannicandido]

Hi @github-anurag I'm using Powershell 7.3.9 on Windows recently updated, other Powershell 7 versions are affected as well.

I installed oci using the official documentation.

I use to connect to kubernetes cluster in kubectl and the only way to not have constant messages on every command is to suppress the check with the env variable OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING

[giovannicandido]

Yes I get the result back

[github-anurag]

Hi @giovannicandido Can you try putting in the permissions to match the chmod 600 equivalent for linux/unix based distros. Hopefully this helps with the check.

I came across a solution here: https://stackoverflow.com/a/72020934

# Add explicit R+W permissions for current user.
icacls <filename> /grant %username%:rw
# Disable inheritance from folders
icacls <filename> /inheritance:d
# Remove default groups (Authenticated Users, System, Administrators, Users)
icacls <filename> /remove *S-1-5-11 *S-1-5-18 *S-1-5-32-544 *S-1-5-32-545

[javiernegro]

Hello. This problem keeps happening. It doesn't only print errors every time, but it delays each command execution by multiple seconds. Powershell 7 is the current release of Powershell, and the default one in Windows 11. Using the environment variable solves the issue, so clearly the problem is on the code that checks file permissions: $Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING="True"

The previous solution does not work. That only fixes the problem when running from cmd or Windows Powershell 5. Currently using Powershell 7.3.10 Core.

[KingPin]

same issue on "PowerShell 7.4.0" using windows 11 and oci -v "3.37.1"

[Copystrike]

Issue is still occurring on powershell 7.4.1 using windows 10 with OCI v3.37.6 unless ran as an admin.

[nicholi]

Receiving same warning output on PowerShell 7.4.1 (Windows 11)

WARNING: Permissions on C:\Users\nicholi\.oci\config are too open.
The following users  / groups have permissions to the file and should not: Get-Acl : The 'Get-Acl' command was found in the module 'Microsoft.PowerShell.Security', but the module could not be loaded. For more information, run 'Import-Module Microsoft.PowerShell.Security'., At line:1 char:37, + $ex_perms=@();$defaults=@();$macls=(Get-Acl "C:\Users\nicholi\.oci\co ..., +                                     ~~~~~~~, + CategoryInfo          : ObjectNotFound: (Get-Acl:String) [], CommandNotFoundException, + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule.
To fix this please try executing the following command:
oci setup repair-file-permissions --file C:\Users\nicholi\.oci\config
Alternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow:
SET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING="True"

WARNING: Permissions on C:\Users\nicholi\.oci\personal_oci_key are too open.
The following users  / groups have permissions to the file and should not: Get-Acl : The 'Get-Acl' command was found in the module 'Microsoft.PowerShell.Security', but the module could not be loaded. For more information, run 'Import-Module Microsoft.PowerShell.Security'., At line:1 char:37, + $ex_perms=@();$defaults=@();$macls=(Get-Acl "C:\Users\nicholi\.oci\pe ..., +                                     ~~~~~~~, + CategoryInfo          : ObjectNotFound: (Get-Acl:String) [], CommandNotFoundException, + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule.
To fix this please try executing the following command:
oci setup repair-file-permissions --file C:\Users\nicholi\.oci\personal_oci_key
Alternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow:
SET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING="True"

Using the base PowerShell installed with Windows, version 5.1.22621.2506, runs fine with no warnings (after modifying permissions).

In pwsh 7.x I can manually run Get-Acl without issues, so its odd the script is mentioning it can't run it. It displays the permissions as expected on config/key files. I also manually attempted to "repair" permissions on the files: disable inheritance and remove all users except myself. Still prints warnings.

Best solution is to just set env var currently and ignore warning.

Guessing it is possibly just a pwsh 7.x thing, and the mechanism used to run Get-Acl by oci tool somehow changed from 5.x -> 7.x.