APIs – RedThunder.Blog

OCI User Access Review Made Easy

I’m sure we can all agree, adopting a cloud strategy is awesome. The opportunities and benefits it affords are many. However cloud governance is an ongoing problem that plagues security, compliance, and management teams, which cloud vendors like Oracle are continually trying to solve.

If you’re reading this, you’ve probably been asked, or heard at least once:

Who has access to what in our environment?
Any Security / Compliance Manager

The answer should be easy and simple. However the reality is likely lots of manual time & work, spreadsheets, and endless clicking in a cloud console. If you’re doing this manually then I agree, it’s time that you could be dedicating to more important tasks.

The challenge in trying to answer these questions:

What users exist and what groups do they belong to?
What does my OCI tenancy compartment structure look like?
What policies have users explicitly created?
What permissions do users have in my tenancy?
Are there any excessive / non-compliant policies & permissions in my tenancy?

is that these complex relationships can’t be easily represented and interpreted in a table-like format. In the OCI ecosystem:

users can be federated with an Identity Provider and can belong to one or many federated, or local IAM groups,
policies can be defined for “any-user” or for a group,
policies are inherited meaning they apply to all sub-compartments from which the policies are applied.

To make things easier I’ve created a solution using Oracle tools and services to simplify the auditing of OCI tenancies and user permissions called “Peek”.

Note: If you have an OCI tenancy with IAM Domains instead of IDCS, use these instructions https://redthunder.blog/2023/03/20/oci-iam-domains-user-access-review/ instead of those below.

Note: From 22/05/2023 APEX is no longer required as the solution runs entirely inside the container. To run the new container for OCI with IDCS use the following command:

docker run -it --name peek --rm \
--mount type=bind,source=/Full/Path/To/.oci/,target=/root/.oci/,readonly \ -e OCI_PROFILE_NAME=<from your OCI config> \-e OCI_TENANCY_OCID=<from text file> \
-e OCI_IAM_URL=<from text file> \
-e IDCS_URL=<from text file> \
-e IDCS_CLIENT_ID=<from text file> \
-e IDCS_SECRET=<from text file> \-e TOOLTIP_LINE_PX=20 \
-p 4567:4567 \scottfletcher/oci-peek

After the docker container has started, you can access the web interface using the locally mapped port http://localhost:4567. You should see a progress window:

Once the mapping process is complete the visualisation will appear.

Depending on how long your policy statements are, you may wish to adjust TOOLTIP_LINE_PX to a number greater or smaller than 20. If your policy statements overflow the tooltip box then increase this value, or if the box is too big, then you can decrease this value.

If you haven’t run Peek before, please read on as I explain how to create the required credentials and where to obtain the values for the other environment variables. You can skip the APEX steps, as APEX will not be used.

#FormulaAI Hack – In Review

(With more to come with the winners being announced)

On Friday 18 March 03:00 PST | 06:00 EST | 10:00 GMT | 15:30 IST | 21:00 AEDT, Hackmakers will announce the winners of the #FormulaAI Hackathon 2022. It will be an exciting moment to conclude the event. Stay tuned at https://www.formulaaihack.com/ to watch the public live stream.

It’s been an immense learning experience for many people (including myself). Here’s a snapshot of some of those learnings when I look back in review. Please note that the content below does not contain any spoilers about winners and solutions delivered.

#BuildWithAI 2021 – Another Step

Last weekend (from Friday 29th Oct to Tuesday 2nd Nov), was the #BuildWithAI Hackathon 2021 where participants, mentors, sponsors and organisers gathered together to solve real world challenges with AI. This event does not standalone. In a world full of change, this (from my perspective) started last year in the #BuildWithAI Hackathon 2020 and continued to build.

This article is about the event but the event itself is just “Another Step”.

#DaysOfArm (15 of X)

This is my 15th #DaysOfArm article that tracks some of the experiences that I’ve had so far. It’s been a little while since I’ve worked on this series however saying that … much of what I’ve been doing didn’t seem different from any other type of environment.

And just to recap from the first post (here) on June 12 2021.

It’s been just over 2 weeks since the launch of Ampere Arm deployed in Oracle Cloud Infrastructure (OCI). Check this article out to learn more (here). And it’s been about one week since I started looking into the new architecture and deployment, since I started provisioning the VM.Standard.A1.Flex Compute Shape on OCI and since I started migrating a specific application that has many different variations to it to test it all out.

This is my next learning where I looked into Let’s Encrypt to create a set of free certificates for Oracle Cloud Infrastructure A1.Flex VM Instances.

C# Serverless on OCI

I had a meeting the other day with an Oracle Partner and the discussion was about serverless solutions and Oracle Functions was introduced. And the natural question to ask was, “What is your preferred language?”.

They answered, “Mostly PHP. We also use C#”.

I had to think a little. And navigating to the fnproject.io (the open-source project that Oracle Functions is based upon), it was clear that C# was supported. Here’s a quick tour through that experience.

fnproject.io supported languages – golang, Java, javascript, python, ruby and C#.

A couple of quick points:

I didn’t need to install ASP.Net anywhere.
I’m not bound by Windows as the host operating system.

And if ASP.Net is your language of choice, you can also check out Deploy highly available ASP.Net applications on Oracle Cloud Infrastructure in the Oracle Architecture Center (here).

OCI Arcade Now Has A CRM

As each project comes along, there’s something new to add to the OCI Arcade. It started off with the game and Autonomous Database. And then grew into including Kafka, Docker Swarm, Serverless with the FN Project, Terraform, OAuth, Ansible, In-Memory Data Grid with Coherence-CE and more recently with Arm. This time round we’ve adding in a Customer Relationship Management (CRM) solution. Why? Up to now, users has been a simple identifier to denote the scores and the events in the game. Nothing more; nothing less. By adding in a CRM into the mix, we’ve opening up the understanding about our contacts and customers providing a richer experience for those coming to the arcade. And ultimately, from a space where we are build, experiment and try something out – adding user profiles opens up endless possibilities. Check out the rest of this about how it’s changed and some of the things we needed to do to make this happen.

#DaysOfArm (14 of X)

This is my 14th #DaysOfArm article that tracks some of the experiences that I’ve had so far. And just to recap from the first post (here) on June 12 2021.

This is my next learning where I’ve deployed successfully openrouteservice – an open-source routing / direction API all deployed on an 4 OCPU with 24 GB of RAM in an Always Free Tier tenancy.

#DaysOfArm (13 of X)

This is my 13th #DaysOfArm article that tracks some of the experiences that I’ve had so far. And just to recap from the first post (here) on June 12 2021.

This is my next learning is another retrospective with the OCI Arcade deployment the full stack is now being deployed on 1 OCPU with 6 GB of RAM in an Always Free Tier tenancy.

#DaysOfArm (12 of X)

This is my 12th #DaysOfArm article that tracks some of the experiences that I’ve had so far. And just to recap from the first post (here) on June 12 2021.

This is my next learning where I’ve deployed successfully Pelias – an open-source geocode API all deployed on an 4 OCPU with 24 GB of RAM in an Always Free Tier tenancy.

(Update – 11th Oct 2021 – there’s been some changes made as this is a working document … as some of the packages have changed as well as additional fixes to make it easier …)

(Update – 28th Dec 2022 – I’ve refreshed the instructions for this blog post to match what is happening with Pelias as there’s been some cool changes to support arm64).

Get OCI Arcade Free on Arm

There’s been numerous announcements about Oracle Cloud Infrastructure (OCI) adding Arm-based Compute to the list of Virtual Machine (VM) Shapes. Check some of the announcements (here) and (here).

You can also watch it (here) too with Clay Magouyrk, Executive Vice President, Oracle Cloud Infrastructure. Note: The link above has more content and videos.

Have you seen the OCI Arcade? We have built the architecture deployable on OCI Always Free Tier.

Recently in the OCI Always Free Tier, an additional services has been added to include 4 cores and 24 GB of RAM of Ampere A1 Compute. With this additional capacity, it made sense for OCI Arcade to be ported to this A1 Compute Shape. Here is what we did and why.