Workflow to Use Identity
Use the following workflow as a guide to create and use Database Tools identity.
Let's understand the workflow to create and use Database Tools identity with an example
scenario. Jane Smith wants to use Oracle Scheduler to create a daily job that reads
content from OCI Object Storage using the DBMS_CLOUD.LIST_OBJECTS
function. To run the DBMS_CLOUD.LIST_OBJECTS function, an authenticated
credential is required. The following approach avoids storing, exposing, or requiring
manual updates to user credentials and enhances security.
| Step | Task | Description | See |
|---|---|---|---|
| 1 | Create a Database Tools connection with resource principal. | Create a connection and configure it with the
RESOURCE_PRINCIPAL runtime identity.
|
Using the Oracle Cloud Infrastructure Console |
| 2 | Validate the connection. | Verify that you can connect to the database. | To list Database Connections |
| 3 | Create a Database Tools identity resource. | This generates a managed Oracle Database credential within the schema defined in the corresponding Database Tools connection resource. | Creating an Identity |
| 4 | Validate the identity. | Verify that you can make calls to OCI using the identity. | Validating an Identity |
| 5 | Create a dynamic group. | You must create a new dynamic group and ensure that the matching rule includes the new Database Tools identity resource. | Dynamic Groups |
| 6 | Create a policy to grant access to services. | Create or update policies to allow the dynamic group to grant access to resources. In this example, update policies to allow the dynamic group to read objects from a specific bucket in Object Storage. | Policies |
| 7 | Refresh the identity resource. | After updating IAM policies for a dynamic group, you must refresh the Database Tools identity. | Refreshing an Identity |
In this example, after setting up the database tools connection and
identity, validate that you can read content from Object Storage using the
DBMS_CLOUD.LIST_OBJECTS function.
Sample Code
SELECT * FROM
DBMS_CLOUD.LIST_OBJECTS('<credential_name>', '<object_storage_bucket_url>');Where, <credential_name> is the name of the credential that
you provide when you create a Database Tools Identity. When Database Tools creates
an identity, it also creates a credential with the specified name in the target
database.