OCI IAM Domains User Access Review

One of the recent additions to Oracle Cloud Infrastructure (OCI) is IAM Domains. New OCI tenancies are provisioned with IAM Domains and at time of writing tenancies with IDCS instances are being migrated to IAM Domains.

I originally created Peek to create a visual representation of effective user permissions inside an OCI tenancy to assist with performing user access reviews. Excessive permissions and IAM misconfigurations are a common issue found in cloud environments that can lead to privilege escalation and/or unauthorised access to resources and data.

At time of writing the latest release of the OCI CLI now supports interacting with IAM Domain resources and so I have created a version of Peek that works with IAM domains.

I’ve also streamlined the setup, meaning you only need to run a single Docker container and no longer need to set up an APEX instance to visualise the data.

Setup & Running Peek for IAM Domains

Before running Peek you will need:

Running the docker container is straight forward:

docker run -it --name peek \
--mount type=bind,source=/full/path/to/.oci,target=/root/.oci/,readonly \
-e OCI_TENANCY_OCID=<your tenancy OCID> \
-e OCI_PROFILE_NAME=<your OCI config profile name> \
-p 4567:4567 \
--rm scottfletcher/peek-domain

In the above command you’ll need to replace:

  • “/full/path/to/oci” with the full path to your OCI config directory, as an example mine is /home/scott/.oci
  • <your tenancy OCID> with the tenancy OCID of the tenancy you wish to run this for.
  • <your OCI config profile name> with the name of the profile in the OCI config that matches the tenancy OCID. As an example mine is DEFAULT.

Optionally you can also configure the port mappings. The web server inside the container is listening on port 4567 so in the example above I’m mapping that to the host, but you can change the host port if required.

Also, Peek will by default set the height of each line to 20px. Depending on how long your policy statements are you might need to set a larger tooltip value to see all the statements in the tooltip. To change the line height and subsequent tooltip height specify a larger value for the TOOLTIP_LINE_PX environment variable.

After running the command you should see:

Unable to find image 'scottfletcher/peek-domain:latest' locally
latest: Pulling from scottfletcher/peek-domain
Digest: sha256:d16076f99088942bd9d630ef8372869d764bd9fad07c57156c45762d06c98d1a
Status: Downloaded newer image for scottfletcher/peek-domain:latest
2023-03-20T00:15:36.963787Z mysqld_safe Logging to '/var/log/mysql/error.log'.
2023-03-20 00:15:57,376 INFO RPC interface 'supervisor' initialized
2023-03-20 00:15:57,376 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2023-03-20 00:15:57,376 INFO supervisord started with pid 209
2023-03-20 00:15:58,380 INFO spawned: 'mysqld' with pid 211
2023-03-20 00:15:58,384 INFO spawned: 'ruby' with pid 212
2023-03-20 00:15:59,446 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2023-03-20 00:15:59,446 INFO success: ruby entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

At which point you can browse to http://localhost:4567 and you will see a live progress bar:

Depending on the size of your tenancy, the number of domains, compartments, groups, users, and policy statements this process can take some time. Please be patient.

When complete the first user’s permission tree will be shown:

The boxes represent the compartments present in the tenancy. Also shown is the user who created them and on which date. If the created by username isn’t shown then you will need to enable default OCI tagging.

To view another user’s permissions select the user from the drop down menu.

As with the Peek IDCS version, the colours represent the maximum permission explicitly defined for that compartment:

  • Red: A policy statement with manage permissions has been defined,
  • Orange: A policy statement with use permissions has been defined,
  • Yellow: A policy statement with read permissions has been defined,
  • Green: A policy statement with inspect permissions has been defined.

If you have a large diagram you can collapse the structure by clicking on a compartment. You can also scroll, and click and drag the diagram around to see any tooltips on the right hand side that may be hidden off screen.

If you have any questions, or feedback feel free to leave a note in the comments.


Author: Scotti Fletcher

I'm an Oracle Cloud Security Engineer, Ethical Hacker & Extreme Sport enthusiast.

One thought on “OCI IAM Domains User Access Review”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: