Oracle Cloud CLI
01 Jul 2022
OCI CLI
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#InstallingCLI__verifying_the_cli_install
oci setup config
Standard place to let it put a config file is ~/.oci/config
.
It prompted me for my user OCID, which I was able to figure out how to get from https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#Other
Then it prompted me for my tenancy OCID, which https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five told me how to get.
Then it suggested I pick a region from a list, and I picked the one I’d set during account setup as my home region, just for simplicity.
Then it asked me if I wanted to generate a new “API Signing RSA key pair,” and I said yes and let it store them in ~/.oci/
and call it oci_api_key
. Yes, I gave it a passphrase. Oops, I regret that, because I used one that’s actually a secret, so I couldn’t save it to the config file, so now I have to type this terrible password every single oci
command I run.
Let’s try this again:
oci setup config
OK cool yay I got to start over. No passphrase, it’s just a trial account w/o any of my money attached.
Then I uploaded the public key it generated into the web console https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#How2
Then it told me to put some stuff it generated into my ~/.oci/config
file, so I did.
OK, this command looks useful:
oci session validate
Nope, darnit:
ERROR: No security_token_file was found in config for profile: DEFAULT
OK let’s try this:
oci session authenticate
It prompts me for a region – again, I guess I’ll choose my usual.
OCI in WSL figured out how to open my web browser, although a Windows Security Alert popped up and asked me if I wanted to let WSL Ubuntu’s version of Python through the firewall. I just kind of dragged it aside for now, clicking neither Allow access nor Cancel.
OK, the oci
CLI asked me to nickname this “profile” – guess I’ll call it myprof
or something.
It suggested I try this command:
oci iam region list --config-file /home/my_linux_username/.oci/config --profile myprof --auth security_token
OK, that did some output. How about this one now?
oci session validate
OK that still didn’t work but this did:
oci session validate --profile myprof --auth security_token
As did this:
oci session validate --profile myprof
All right, I think I’m going to hit Cancel on that Windows Defender Firewall popup.
OK here we go, here’s a command that satisfies me I’ve got Linux talking to Oracle Cloud – I get a nice JSON object w/ stuff about myself in it from this command:
oci iam user list --profile myprof --auth security_token
All done!
Pulumi
Pulumi.yaml
name: oci-project
runtime: yaml
description: Trying to do OCI with YAML
Pulumi.oci-stack.yaml
config:
oci:configFileProfile: myprof
oci:region: us-ashburn-1
Initial create attempts
pulumi up
OK, that creates an empty stack
It looks like maybe putting things into OCI “compartments” is going to be important, so I ran this and noted the id
property’s value of my one and only compartment so far, which came with my Oracle Cloud setup:
oci iam compartment list --profile myprof --auth security_token
Eh, I’m just gonna see what happens if I try to create an OCI bucket w/o it having a “namespace” or “compartment” … OK, nevermind, pulumi up
says I can’t do that.
Then I thought I’d figured out a good Main.yaml
, but another pulumi up
ran for 2 minutes then errored out as follows:
* 409-BucketAlreadyExists, Either the bucket 'my-bucket' in namespace 'id12345678' already exists or you are not authorized to create it
Suggestion: The resource is in a conflicted state. Please retry again or contact support for help with service: Object Storage Bucket
Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/object_storage_bucket
Request Target: POST https://objectstorage.us-ashburn-1.oraclecloud.com/n/id12345678/b
Provider version: 4.72.0, released on 2022-04-21. This provider is 10 Update(s) behind to current.
Service: Object Storage Bucket
Operation Name: CreateBucket
OPC request ID: (censored-for-blog)
pulumi:pulumi:Stack (oci-project-oci-stack):
INFO 2022/07/01 12:10:27.527414 Time elapsed for retry: 0s; Expected retry duration: 2m0s
INFO 2022/07/01 12:10:29.453963 Time elapsed for retry: 2s; Expected retry duration: 2m0s
INFO 2022/07/01 12:10:30.655111 Time elapsed for retry: 3s; Expected retry duration: 2m0s
INFO 2022/07/01 12:10:44.203885 Time elapsed for retry: 17s; Expected retry duration: 2m0s
INFO 2022/07/01 12:11:11.997661 Time elapsed for retry: 45s; Expected retry duration: 2m0s
INFO 2022/07/01 12:11:55.561987 Time elapsed for retry: 1m28s; Expected retry duration: 2m0s
error: update failed
The bucket isn’t visible in the web console, so maybe OCI didn’t like me trying to create a bucket inside the existing compartment. That seems weird though, as it looks like the web console would let me do it.
Interesting … even the web console doesn’t want to let me. Same error.
OK, so … if I don’t have the compartment as that one that showed up inside my “root” compartment, but instead as the root compartment itself, then I CAN create a bucket. So I’ll try that in my Main.yaml
instead.
OK, there we go!
I guess I should learn about Oracle Cloud compartments at some point.
Here’s what worked:
Main.yaml
variables:
myPrimaryCompartment:
Fn::Invoke:
Function: oci:Identity/getCompartment:getCompartment
Arguments:
id: "the-id-of-my-root-compartment-not-the-one-i-found-through-compartment-list"
theNamespaceOfMyPrimaryCompartment:
Fn::Invoke:
Function: oci:ObjectStorage/getNamespace:getNamespace
Arguments:
compartmentId: ${myPrimaryCompartment.id}
resources:
myBucket:
type: oci:ObjectStorage:Bucket
properties:
name: my-bucket
compartmentId: ${myPrimaryCompartment.id}
namespace: ${theNamespaceOfMyPrimaryCompartment.namespace}
outputs:
name: ${myBucket.name}
Add a storage bucket
OK, so at first, https://cloud.oracle.com/object-storage/buckets?region=us-ashburn-1 is empty.
Then I do:
pulumi up
Verify it’s there
Takes a little while to run (over 2 minutes), but eventually I see a “my-bucket” bucket at https://cloud.oracle.com/object-storage/buckets?region=us-ashburn-1, yay
Delete the bucket
I’m sure there are ways to clean up that aren’t quite so “nuclear,” but here’s how I did so: I deleted every last resource in “oci-stack
:”
pulumi destroy -s my-pulumi-username/oci-project/oci-stack
Verify it’s gone
Back to https://cloud.oracle.com/object-storage/buckets?region=us-ashburn-1, and yay, it’s empty again.
Database
Here’s a Main.yaml
that spun me up a little Oracle database in Oracle Cloud for me:
variables:
myPrimaryCompartment:
Fn::Invoke:
Function: oci:Identity/getCompartment:getCompartment
Arguments:
id: "the-id-of-my-root-compartment-not-the-one-i-found-through-compartment-list"
resources:
mypuldb:
type: oci:Database:AutonomousDatabase
properties:
compartmentId: ${myPrimaryCompartment.id}
dbName: SUCHACOOLDBNAME
adminPassword: a-really-great-password # Root username becomes "ADMIN"
dbVersion: 19c
dbWorkload: OLTP
displayName: My cool DB
isFreeTier: true
isMtlsConnectionRequired: false
whitelistedIps:
- 123.231.123.231