Oracle Cloud Infrastructure Documentation

Create and Manage Named Credentials

You can create named credentials in Database Management to store, manage, and use database user credentials.

Named credentials are Oracle Cloud Infrastructure resources, which contain database user credentials, namely, the database user name and password. Like other Oracle Cloud Infrastructure resources, the creation, management, and use of named credentials is controlled by Oracle Cloud Infrastructure Identity and Access Management (IAM) policies. As an administrator with the required permissions, you can create and store named credentials in Database Management, and grant user groups the permission to use named credentials to connect to a Managed Database and perform tasks such as creating a tablespace, creating a job, and editing database parameters. In addition, named credentials can also be linked to a preferred credential to enable users to access the Managed Database and perform the tasks associated with the preferred credential.

Here are the benefits of using named credentials:

  • User credentials are secure as they are saved within the named credential and are not exposed to all users. Named credentials allow a DBA with lower privileges to perform database maintenance-related tasks without having to know the database password.
  • Time and effort are saved as the user credentials do not have to be specified each time you perform a task in Database Management.
  • User credentials can be updated within the named credential ensuring ease of maintenance.
  • Named credentials ensure consistency and avoid errors that may result from using different user credentials.

Named credentials have the following scope categories:

  • Resource: A named credential with the Resource scope can be used with a single Managed Database.
  • Global: A named credential with the Global scope can be used with all the Managed Databases.

In Database Management, named credentials are available on:

  • Administration Named credentials page: On this page, you can view all the Resource and Global named credentials created in the compartment and perform the tasks pertaining to named credentials. To go to this page:
    1. Open the navigation menu in the Oracle Cloud Infrastructure console, click Observability & Management. Under Database Management, click Administration.
    2. On the left pane, click Named Credentials and select a compartment in the Compartment drop-down list.
  • Managed database details page: On the left pane under Resources, click Credentials and then click the Named credentials tab. On the Named credentials tab, you can view the named credentials created for the Managed Database and the Global named credentials in the compartment, and perform the tasks pertaining to named credentials.

Perform Prerequisite Tasks and Obtain Required Permissions

Here's a list of typical tasks that must be performed before creating named credentials.

  1. The Database Administrator creates the database user credentials. For information on how to create user accounts, see Creating User Accounts in Oracle Database Security Guide.
  2. An Oracle Cloud Infrastructure user with the required permissions creates a Vault service secret for the database user password. The secret can be created in a different compartment or in the same compartment with a different or the same vault key.

    Here's an example of the policy that grants a user group the permission to create secrets:

    Allow group DB-MGMT-USER to manage secret-family in compartment ABC

    For information on how to create a secret, see Creating a Secret in a Vault.

  3. The Database Administrator with the required Oracle Cloud Infrastructure permissions creates one of the following types of policies to provide access to the Vault service secret with the database user password:
    • User: The permission to access the password secret is defined for a user in the policy.

      Here's an example of the policy that grants a user the permission to access the secret:

      Allow any-user to read secret in compartment ABC where request.user.id = <user_OCID>
    • Resource: The permission to access the password secret is defined for the type of resource in the policy.

      Named credentials are supported for Database Management-enabled Oracle Databases resources (dbmgmtmanageddatabase). Here's an example of the policy that grants this resource-type the permission to access the secret: 

      Allow any-user to read secret-family in compartment ABC where ALL {request.principal.type='dbmgmtmanageddatabase'}

On performing the prerequisite tasks, a user with the Database Management dbmgmt-named-credentials resource permissions can create and manage named credentials. Here are a few examples of the policies that grant user groups the required permissions:

  • To grant the DB-MGMT-ADMIN user group the permission to create named credentials for all the Managed Databases in compartment ABC:
    Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC
    Allow group DB-MGMT-ADMIN to use dbmgmt-managed-databases in compartment ABC
  • To grant the DB-MGMT-ADMIN user group the permission to delete the named credentials in compartment ABC:
    Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC
  • To grant the DB-MGMT-ADMIN user group the permission to move the named credentials in compartment ABC to another compartment:
    Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC

Once a named credential is created, the permission to use the named credential to perform various Database Management Diagnostics & Management tasks must be granted to user groups (in addition to other required permissions). For example, here are the policies that grant the DB-MGMT-USER user group the permission to create a tablespace and use named credentials to do so: 

Allow group DB-MGMT-USER to use dbmgmt-managed-databases in compartment ABC
Allow group DB-MGMT-USER to read dbmgmt-named-credentials in compartment ABC

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Create Named Credentials

You can create named credentials to access, monitor and manage a Managed Database on the Managed database details page.

Note

You can also create and manage named credentials on the Administration Named credentials page. For more information, see Create and Manage Named Credentials.
  1. Go to the Managed database details page and on the left pane under Resources, click Credentials.
  2. Click the Named credentials tab.
    The list of named credentials, if any, in the compartment are listed, and to view the named credentials in another compartment, click Change compartment. In addition, you can use the options in the View by drop-down list and the Search by name field to filter the list of named credentials.
  3. Click Create named credential.
  4. In the Create named credential panel:
    1. Provide the following information in the General section:
      1. Name: Review the unique name displayed for the named credential and change it, if required.
      2. Description: Optionally, enter a description for the named credential.
    2. Review the database details and set the named credential as a preferred credential, if required, in the Resource section:
      1. Type: Review the resource type. Oracle Database is selected by default and this field cannot be edited.
      2. Scope: Select the scope of the named credential:
        • Resource: A named credential with the Resource scope can be used to access, monitor and manage a single Managed Database.
        • Global: A named credential with the Global scope can be used to access, monitor and manage all the Managed Databases.
      3. Resource name: Review the name of the Managed Database. This field cannot be edited when the Create named credential panel is accessed from the Managed database details page.
        Note

        To create a named credential for a different Managed Database, go to the Administration Named credentials page.
      4. Set as preferred credential: Optionally, select this check box and select a preferred credential. If you opt to link the named credential to a preferred credential, you can use the named credential to perform the tasks associated with the preferred credential. For information on preferred credentials, see Set Preferred Credentials.
        Note

        A preferred credential is set for a particular Managed Database, therefore, the Set as preferred credential check box is not displayed if the Global scope option is selected.
    3. Specify the following credential details:
      • User name: Enter the database user name to connect to the Managed Database.
      • User password secret: Select the secret that contains the database user password from the drop-down list. If the compartment in which the secret resides is different from the compartment displayed, click Change compartment and select another compartment.

        If an existing secret with the database user password is not available, then select Create new secret... in the drop-down list. For information on the permission required to create a secret and how to create a secret, see Perform Prerequisite Tasks and Obtain Required Permissions.

      • Role: Select the role from the available options, NORMAL or SYSDBA.
      • Password secret access mode: Select the password secret access mode:
        • User: The permission to access the password secret is defined for a user in the policy.
        • Resource: The permission to access the password secret is defined for the type of resource (for which the named credential is created) in the policy.

        For information on the policies that provide access to the secret with the database user password, see Perform Prerequisite Tasks and Obtain Required Permissions.

    4. Optionally, click Show advanced options to add free-form or defined tags to the named credential. If you have the permissions required to create a named credential, then you also have permissions to add free-form tags. To add a defined tag, you must have permissions to use the tag namespace.

      For information on:

    5. Optionally, click Test to check whether the connection to the Managed Database is established successfully using the credentials.
    6. Click Create to create the named credential.
The newly created named credential is listed on the Named credentials tab in the Credentials section and can be used to perform various tasks such as creating jobs and SQL tuning sets. You can click the name of the named credential to view credential information such as its OCID, scope, and associated resources (Managed Databases) and perform tag-related tasks.

You can click the Actions icon (Actions) for the named credential and perform the following tasks:

  • Test: Click to test whether a connection is established with the Managed Database using the named credential.
  • Edit: Click to edit and update the named credential.
  • Move: Click to move the named credential from the current compartment to another compartment.
  • Delete: Click to delete the named credential.