Create and Manage Named Credentials
You can create named credentials in Database Management to store, manage, and use database user credentials.
Named credentials are Oracle Cloud Infrastructure resources, which contain database user credentials, namely, the database user name and password. Like other Oracle Cloud Infrastructure resources, the creation, management, and use of named credentials is controlled by Oracle Cloud Infrastructure Identity and Access Management (IAM) policies. As an administrator with the required permissions, you can create and store named credentials in Database Management, and grant user groups the permission to use named credentials to connect to a Managed Database and perform tasks such as creating a tablespace, creating a job, and editing database parameters. In addition, named credentials can also be linked to a preferred credential to enable users to access the Managed Database and perform the tasks associated with the preferred credential.
Here are the benefits of using named credentials:
- User credentials are secure as they are saved within the named credential and are not exposed to all users. Named credentials allow a DBA with lower privileges to perform database maintenance-related tasks without having to know the database password.
- Time and effort are saved as the user credentials do not have to be specified each time you perform a task in Database Management.
- User credentials can be updated within the named credential ensuring ease of maintenance.
- Named credentials ensure consistency and avoid errors that may result from using different user credentials.
Named credentials have the following scope categories:
- Resource: A named credential with the Resource scope can be used with a single Managed Database.
- Global: A named credential with the Global scope can be used with all the Managed Databases.
In Database Management, named credentials are available on:
- Administration
Named credentials page: On this page, you can
view all the Resource and
Global named credentials created in
the compartment and perform the tasks pertaining to named
credentials. To go to this page:
- Open the navigation menu in the Oracle Cloud Infrastructure console, click Observability & Management. Under Database Management, click Administration.
- On the left pane, click Named Credentials and select a compartment in the Compartment drop-down list.
- Managed database details page: On the left pane under Resources, click Credentials and then click the Named credentials tab. On the Named credentials tab, you can view the named credentials created for the Managed Database and the Global named credentials in the compartment, and perform the tasks pertaining to named credentials.
Perform Prerequisite Tasks and Obtain Required Permissions
Here's a list of typical tasks that must be performed before creating named credentials.
- The Database Administrator creates the database user credentials. For information on how to create user accounts, see Creating User Accounts in Oracle Database Security Guide.
- An Oracle Cloud Infrastructure user with the
required permissions creates a Vault service secret for the database user password.
The secret can be created in a different compartment or in the same compartment with
a different or the same vault key.
Here's an example of the policy that grants a user group the permission to create secrets:
Allow group DB-MGMT-USER to manage secret-family in compartment ABC
For information on how to create a secret, see Creating a Secret in a Vault.
- The Database Administrator with the required Oracle Cloud Infrastructure permissions creates one of the following types of policies
to provide access to the Vault service secret with the database user password:
- User: The permission to access the
password secret is defined for a user in the policy.
Here's an example of the policy that grants a user the permission to access the secret:
Allow any-user to read secret in compartment ABC where request.user.id = <user_OCID>
- Resource: The permission to access the
password secret is defined for the type of resource in the policy.
Named credentials are supported for Database Management-enabled Oracle Databases resources (
dbmgmtmanageddatabase
). Here's an example of the policy that grants this resource-type the permission to access the secret:Allow any-user to read secret-family in compartment ABC where ALL {request.principal.type='dbmgmtmanageddatabase'}
- User: The permission to access the
password secret is defined for a user in the policy.
On performing the prerequisite tasks, a user with the Database Management
dbmgmt-named-credentials
resource permissions can create and manage
named credentials. Here are a few examples of the policies that grant user groups the
required permissions:
- To grant the
DB-MGMT-ADMIN
user group the permission to create named credentials for all the Managed Databases in compartmentABC
:Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC
Allow group DB-MGMT-ADMIN to use dbmgmt-managed-databases in compartment ABC
- To grant the
DB-MGMT-ADMIN
user group the permission to delete the named credentials in compartmentABC
:Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC
- To grant the
DB-MGMT-ADMIN
user group the permission to move the named credentials in compartmentABC
to another compartment:Allow group DB-MGMT-ADMIN to manage dbmgmt-named-credentials in compartment ABC
Once a named credential is created, the permission to use the named
credential to perform various Database Management Diagnostics
& Management tasks must be granted to user groups (in addition to other required
permissions). For example, here are the policies that grant the
DB-MGMT-USER
user group the permission to create a tablespace and
use named credentials to do so:
Allow group DB-MGMT-USER to use dbmgmt-managed-databases in compartment ABC
Allow group DB-MGMT-USER to read dbmgmt-named-credentials in compartment ABC
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Create Named Credentials
You can create named credentials to access, monitor and manage a Managed Database on the Managed database details page.
You can also create and manage named credentials on the Administration Named credentials page. For more information, see Create and Manage Named Credentials.
You can click the Actions icon () for the named credential and perform the following tasks:
- Test: Click to test whether a connection is established with the Managed Database using the named credential.
- Edit: Click to edit and update the named credential.
- Move: Click to move the named credential from the current compartment to another compartment.
- Delete: Click to delete the named credential.