Working with the OCI CLI Container Image
This section covers how to install and use the OCI CLI Container Image.
The Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI) Container Image is a Docker image that has the OCI CLI tools pre-installed. This section covers how to install and use the OCI CLI Container Image.
Requirements
To use the OCI CLI container image, you must have:
- A standards-compliant container runtime engine, such as Docker, or Podman
- An Oracle Cloud Infrastructure tenancy
- A user account in that tenancy that belongs to a group to which appropriate policies have been assigned to grant the required permissions.
- A keypair used for signing API requests, with the public key uploaded to Oracle. Only the user calling the API should possess the private key. For more information, see Configuring the CLI.
For examples of how to set up a new user, group, compartment, and policy, see the Adding Users. For a list of other typical OCI policies, review the list of common policies.
Using the OCI CLI container image
$ docker pull ghcr.io/oracle/oci-cli:latest
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ghcr.io/oracle/oci-cli latest 387639e80a9a 3 days ago 711MB
oci
to make it a more seamless drop-in
replacement:$ docker tag ghcr.io/oracle/oci-cli:latest oci
$ docker images oci
REPOSITORY TAG IMAGE ID CREATED SIZE
oci latest 387639e80a9a 3 days ago 711MB
$ docker run -v "$HOME/.oci:/oracle/.oci" oci os ns get
{
"data": "demo-tenancy"
}
$ alias oci='docker run --rm -it -v "$HOME/.oci:/oracle/.oci" oci'
$ oci os ns get
{
"data": "demo-tenancy"
}
API Signing Key Authentication
This is the default authentication method used by all OCI SDKs and the OCI CLI. To
use this method, mount a location on the host system to the
/oracle/.oci
directory inside the container.
If you have previously configured the OCI CLI on the host machine, the easiest way to
provide access to your API signing key is to map your $HOME/.oci
directory to /oracle/.oci/
inside the container.
$ docker run --rm -it -v "$HOME/.oci:/oracle/.oci" ghcr.io/oracle/oci-cli os ns get
{
"data": "example"
}
You can also pass the OCI_CLI_CONFIG_FILE
environment variable to
use a different location for the OCI CLI config
file.
Ensure that the
key_file
field in
$HOME/.oci/config
uses the ~
character so that
the path resolves both inside and outside the container; for example:
key_file=~/.oci/oci_api_key.pem
. $HOME/.oci
directory:mkdir $HOME/.oci
docker run --rm -it -v "$HOME/.oci:/oracle/.oci" ghcr.io/oracle/oci-cli setup config
For more information, see Setting Up the Configuration File.
Session token authentication
docker run --rm -it \
-v "$HOME/.oci:/oracle/.oci" \
-p 8181:8181 \
ghcr.io/oracle/oci-cli session authenticate
For more information, see Token-based Authentication for the CLI.
Instance principal authentication
--auth
instance_principal
command-line
parameter:docker run --rm -it ghcr.io/oracle/oci-cli --auth instance_principal os ns get
OCI_CLI_AUTH
environment
variable:docker run --rm -it -e OCI_CLI_AUTH=instance_principal ghcr.io/oracle/oci-cli os ns get
If you created a shell alias, add it to the alias definition.
For more information, see OCI SDK Authentication Methods.
Local file access
The simplest way to allow the OCI CLI running inside the container to access files on the host is to bind mount a directory from the host into the container.
$HOME/scratch
directory is bind
mounted as /oracle/scratch
in the container so that the files inside
that directory can be bulk uploaded to OCI Object Storage using the OCI
CLI:docker run --rm -it \
-v "$HOME/.oci:/oracle/.oci" \
-v "$HOME/scratch:/oracle/scratch" \
ghcr.io/oracle/oci-cli os object bulk-upload -ns <namespace> -bn <bucket name> --src-dir /oracle/scratch/
Building from Source
The source code required to build the OCI CLI container image can be found at https://github.com/oracle/docker-images/tree/main/OracleCloudInfrastructure/oci-cli.