User Permissions are Missing

Users must be granted security access via policy statements by an administrator. Authorization is required whether you are using the Console, the REST API with an SDK, or the CLI. If you get a message that you do not have permission or are unauthorized, verify with your OCI tenancy administrator what type of access you have and which compartment to work in.

Example policy for Database Tools connection managers:

allow group <group_name> to use virtual-network-family in compartment <compartment_name>
allow group <group_name> to read database-family in compartment <compartment_name>
allow group <group_name> to read autonomous-database-family in compartment <compartment_name>
allow group <group_name> to use vaults in compartment <compartment_name>
allow group <group_name> to use keys in compartment <compartment_name>
allow group <group_name> to manage secret-family in compartment <compartment_name>
allow group <group_name> to use database-tools-family in compartment <compartment_name>
allow group <group_name> to manage database-tools-connections in compartment <compartment_name>
allow group <group_name> to use database-tools-connections in compartment <compartment_name> 
where target.resource.id != <dbtools-connection-ocid>

See also:

• IAM Policies for Oracle Database Connections
• IAM Policies for MySQL Database Connections

Wrong Compartment Specified

Within the Console, ensure that you choose the compartment that contains the Database Tools connection or private endpoint that you want to work with. Also, ensure that an administrator has granted you access to Database Tools resources in that compartment. The compartment in which you created a connection can be different than compartments that contain the target Autonomous Database, Oracle Base Database or MySQL DB system.

Review common causes for issues with new Database Tools connections.

User Input or Database User State was Incorrect

Creating a new connection requires input or selections from a user during the creation process. Verify the following details are selected or entered correctly for your connection:

• Connection string, host, and TCP port
• Database username
• Database password as stored in the vault service
• Wallet file as stored in the vault service

The database user should be in a valid state. Verify the following for this connection:

• Database user has all required database privileges or grants
• Database user password is not expired
• Database user account is not locked or disabled

If possible, confirm if the database user can access the database with the same connection string and authentication details using other tools such as cloud shell, SQLcl or mysqlsh via bastion.

See Using the Oracle Cloud Infrastructure Console for more information about viewing or managing a connection.

Incorrect Networking Configuration

The Database Tools service allows you to connect to databases in your tenancy by securely routing network traffic through an Oracle Cloud Infrastructure virtual cloud network (VCN). Once a VCN, subnet, applicable gateways, route tables, and security lists or network security groups are configured, Database Tools connections can be configured to connect to your database.

If you encounter network or connection timeout related errors or unreachable database hosts, then you may need to review the following:

• Ensure private endpoints are configured to access databases in your private subnet, if applicable.
• Confirm your VCN configuration allows Database Tools service traffic to reach the database in your target subnet at the IP address and TCP port specified.
• For ADB shared using a public IP address with access control list (ACL), confirm ACL rules for allowed addresses or allowed CIDR blocks are configured correctly.
• For customer-managed Oracle or MySQL databases, firewalls running on the host operating system generally require rules to allow network traffic to reach database-specific TCP ports.

See Using Private Endpoints with Database Tools for more information about using private endpoints. See Overview of VCNs and Subnets for more information about configuring virtual cloud networks.

Incorrect Database State/Configuration

The Database Tools service does not manage your database service or database configuration. Check with your database administrator to ensure that the target database:

• Is correctly configured and started.
• Is accepting new connections.

Proxy User Not Authorized to Connect as the Proxy Client

The Database Tools service provides proxy session support for Oracle Database connections. That is, connect to other database users without knowing their passwords using proxy users.

If you encounter proxy user related error, then you may need to review the following:

• Correctly configure proxy user accounts and authorize users to connect through them. See the Proxy User Authentication and Connect Through in Oracle Databases documentation.
• Enable proxy authentication and configure the proxy client database user name and password.
• Ensure the proxy client database user name and password are correct.

User Permission Revoked or Changed

It is possible that IAM policies, group memberships, or database user privileges changed after a connection was created. Check with your tenancy administrator and your database administrator to confirm:

• The OCI user did not lose access due to group membership changes, IAM policy changes, or compartment changes.
• The database user did not lose access due to role or privilege changes.

Network Configuration Changed

If a Database Tools connection was previously able to communicate with a database but suddenly reports network-related issues, then it might be due to database state or subsequent VCN configuration changes.

• Confirm that the database service is running and accepting TCP connections.
• Confirm if any changes were made in the target subnet or VCN configuration.
• Confirm your VCN configuration allows Database Tools service traffic to reach the database in your target subnet at the IP address and TCP port specified.
• For ADB shared using a public IP address with access control list (ACL), confirm ACL rules for allowed addresses are configured correctly.
• For customer-managed Oracle or MySQL databases, check that firewalls running on the host operating system, if applicable, allow access to database-specific TCP ports.

See Using Private Endpoints with Database Tools for more information about using private endpoints. See Overview of VCNs and Subnets for more information about configuring virtual cloud networks.

Database Configuration Changed

It is possible that a database configuration changed after the connection was created. Changes to a database configuration or user authentication details are not managed by the Database Tools service and may need to be updated in your connections.

Confirm if any of the following have occurred and update your database, database user, or Database Tools connections accordingly:

• Was the database user deleted or have privileges been revoked?
• Is the database user account locked or password expired?
• For ADB shared databases, was the instance or regional wallet rotated? (In which case, it needs to be updated in your vault secret)
• Was the PDB deleted?
• Is the database instance stopped or paused due to inactivity?

See Using the Oracle Cloud Infrastructure Console for more information about updating a connection.

Lists known issues and available workarounds for the Database Tools service.

Issue: You are using a Free Tier Account and trying to create a connection to an Autonomous Database – Shared (ADB-S) using network access rules granting access to OCI Services in Oracle Services Network.

Cause: The Network Access Control List (ACL) feature of ADB-S does not provide support for network access rules granting access to OCI Services in Oracle Services Network. As a workaround, create connections using a Private Endpoint and add an Access Control Rule to the ADB-S instance to allow traffic from the Reverse Connection Source IPs of the Private Endpoint. Since the Reverse Connection Source IPs are Private IP addresses, the use of a Service Gateway or a NAT Gateway is required to connect to the Public IP of ADB-S. Free Tier accounts are not allowed to create a Service Gateway or a NAT Gateway in their VCNs and cannot access an ADB-S instance with Network ACL.