Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Rotate User Auth Tokens

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your IAM user auth tokens are rotated every 90 days or less in order to decrease the likelihood of accidental exposures and protect your Oracle Cloud Infrastructure (OCI) resources against unauthorized access. IAM user auth tokens are token strings generated by Oracle that you can use to authenticate with third-party APIs that don't support OCI's signature-based authentication.

Security

IAM user auth tokens do not have an expiration date. Rotating auth tokens for IAM users periodically will significantly reduce the chances that a compromised auth token can be used without your knowledge to access certain components and resources within your Oracle Cloud Infrastructure (OCI) account.

Audit

To determine if your IAM user auth tokens are regularly rotated (i.e., every 90 days or less), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine, listed in the Username column.

07 In the Resources navigation panel, choose Auth tokens, and check the creation date of each auth token generated for the selected user, listed in the Created column. If more than 90 days have passed since the token was created, the verified authentication token is not rotated on a regular basis. If an auth token is older than 90 days, the token is outdated and needs to be regenerated in order to secure the access to your Oracle Cloud Infrastructure (OCI) resources.

08 Repeat steps no. 6 and 7 for each IAM user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) tenancy: 

oci iam user list
	--all
	--query 'data[].["name","id"]'
	--output 'table'

02 The command output should return a table with requested user IDs: 

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

03 Run iam auth-token list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the ID and the creation date/time for each authentication token generated for the specified user: 

oci iam auth-token list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["id","time-created"]'
	--output table

04 The command output should return the requested auth tokens: 

+------------------------------------------------------------------------------------+----------------------------------+
| Column1                                                                            | Column2                          |
+------------------------------------------------------------------------------------+----------------------------------+
| ocid1.credential.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd | 2024-09-08T16:20:10.103000+00:00 |
| ocid1.credential.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 | 2024-11-10T16:44:11.106000+00:00 |
+------------------------------------------------------------------------------------+----------------------------------+

Check the timestamp listed in the Column2 column for each auth token to determine when the token was created. If more than 90 days have passed since the token was created, the verified authentication token is not rotated on a regular basis. If an auth token is older than 90 days, the credentials are outdated and needs to be regenerated in order to secure the access to your Oracle Cloud Infrastructure (OCI) resources.

Remediation / Resolution

To rotate (regenerate) outdated authentication tokens for your IAM users, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 In the Identity domain navigation panel, choose Users to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure, listed in the Username column.

07 In the Resources navigation panel, select Auth tokens.

08 Select Generate token, provide a unique name for your new token, and choose Generate token to create a new authentication token required for rotation. Copy the auth token to a secure location, and choose Close to return to the IAM console. If the selected IAM user has two authentication tokens, follow the instructions outlined in step no. 11 to remove the outdated token first.

09 Update all your applications and systems to replace the outdated token with the new one created in the previous steps.

10 Test all your applications and systems to make sure that the new auth token is working as expected.

11 Once you are sure that your applications and systems are no longer using the original token, return to your IAM user page, select the outdated authentication token, and choose Delete to remove the token from your IAM user.

12 Repeat steps no. 6 - 11 for each IAM user created for the selected OCI domain.

13 Repeat steps no. 4 - 12 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

14 Repeat steps no. 3 – 13 for each compartment available within in your OCI account.

Using OCI CLI

01 Run iam auth-token create command (OSX/Linux/UNIX) to create a new authentication token for the selected IAM user, required for rotation. An IAM user can have up to two tokens at a time. If the IAM user has two auth tokens, follow the instructions outlined in step no. 5 to remove the outdated token first: 

oci iam auth-token create
	--description 'cc-project5-auth-token'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

02 The command output should return the resource information for the new auth token: 

{
	"data": {
		"description": "cc-project5-auth-token",
		"id": "ocid1.credential.oc1..aaaabbbb1234ddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"inactive-status": null,
		"lifecycle-state": "ACTIVE",
		"time-created": "2025-03-08T18:32:20.275000+00:00",
		"time-expires": null,
		"token": "abcd1234abcd1234",
		"user-id": "ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234"
}

03 Update all your applications and systems to replace the outdated token string with the new one created in the previous steps.

04 Test all your applications and systems to make sure that the new token is working as expected.

05 Once you are sure that your applications and systems are no longer using the original token, run iam auth-token delete command (OSX/Linux/UNIX) to delete the outdated authentication token: 

oci iam auth-token delete
	--auth-token-id 'ocid1.credential.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'

06 Type y (yes) and press Enter to confirm the token removal: 

Are you sure you want to delete this resource? [y/N] y

07 Repeat steps no. 1 - 6 for each IAM user that you want to configure, available in your Oracle Cloud Infrastructure (OCI) tenancy.

References

Publication date Mar 11, 2025

Related IAM rules