Using instance principals to make a call to the OCI API
Instance principals enable OCI instances to make API calls against other OCI services. Using instance principals, you can make OCI calls without the need to configure user credentials or a configuration file.
Even without instance principals, you can still achieve this by storing API credentials on each instance. However, then, you will be faced with a credential rotation problem. Additionally, auditing at the instance level is impossible since credentials are the same across hosts.
So, the ideal solution is to use instance principals that give instances their own identity. The instances that have instance principals configured become a new type of principal, and this is in addition to the existing OCI IAM user/group.
To implement an instance principal, you need to use dynamic groups, which allow policies to be defined on instances. An instance principal implements API authentication at the instance level, removing the...
