Unnecessary API Keys

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, select an OCI compartment from the Compartment dropdown menu, and choose Domains to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the User management tab to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to examine, listed in the Username column.

07 Select the API keys tab and count the number of API key fingerprints listed in the Fingerprint column to determine the number of active API keys created for the IAM user. If the selected OCI IAM user has more than one active API key, the IAM user access configuration does not align with cloud security best practices, and the risk of accidental exposure is high.

08 Repeat steps no. 6 and 7 for each IAM user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available in your OCI account.

01 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) tenancy:

oci iam user list
	--all
	--query 'data[].["name","id"]'
	--output 'table'

02 The command output should return a table with requested IAM user identifiers:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

03 Run iam user api-key list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the fingerprint and the lifecycle state for each API key generated for the specified IAM user:

oci iam user api-key list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["fingerprint","lifecycle-state"]'
	--output 'table'

04 The command output should return the requested API key information. Column1 returns the API key fingerprint and Column2 the key lifecycle state. Each ACTIVE fingerprint represents an active API key:

+-------------------------------------------------+---------+
| Column1                                         | Column2 |
+-------------------------------------------------+---------+
| 12:83:35:4b:5b:c2:20:76:65:67:30:18:8e:a6:e9:00 | ACTIVE  |
| 00:01:02:ab:cd:01:02:03:ab:cd:01:02:03:ab:cd:03 | ACTIVE  |
+-------------------------------------------------+---------+

05 Repeat steps no. 3 and 4 for each IAM user created for your OCI tenancy.

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, select an OCI compartment from the Compartment dropdown menu, and choose Domains to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the User management tab to list the IAM users created for the selected domain.

06 In the Users section, click on the name (link) of the IAM user that you want to configure, listed in the Username column.

07 Select the API keys tab and perform the following actions:

1. Choose the API key that will be used to provide programmatic access (i.e., operational API key), and ensure that your clients and applications use only the chosen key. Test your clients and applications to make sure that the chosen API key is working.
2. Identify and select the non-operational API keys (other than the one chosen at the previous step) and choose Delete. In the confirmation box, choose Delete to remove the selected API key.

08 Repeat steps no. 6 and 7 for each IAM user created for the selected OCI domain.

09 Repeat steps no. 4 - 8 for each domain available in the selected Oracle Cloud Infrastructure (OCI) compartment.

10 Repeat steps no. 3 – 9 for each compartment available in your OCI account.

01 Run iam user list command (OSX/Linux/UNIX) to list the ID of each IAM user created for your Oracle Cloud Infrastructure (OCI) tenancy:

oci iam user list
	--all
	--query 'data[].["name","id"]'
	--output 'table'

02 The command output should return a table with requested IAM user identifiers:

+---------------------------------------+------------------------------------------------------------------------------+
| Column1                               | Column2                                                                      |
+---------------------------------------+------------------------------------------------------------------------------+
| cc-project5-developer                 | ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd |
| cc-domain-secops-dev                  | ocid1.user.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 |
| cc-iam-access-manager                 | ocid1.user.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd |
+---------------------------------------+------------------------------------------------------------------------------+

03 Run iam user api-key list command (OSX/Linux/UNIX) with the ID of the IAM user that you want to examine as the identifier parameter, to list the fingerprint and the lifecycle state for each API key generated for the specified IAM user:

oci iam user api-key list
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["fingerprint","lifecycle-state"]'
	--output 'table'

04 The command output should return the requested API key information:

+-------------------------------------------------+---------+
| Column1                                         | Column2 |
+-------------------------------------------------+---------+
| 12:83:35:4b:5b:c2:20:76:65:67:30:18:8e:a6:e9:00 | ACTIVE  |
| 00:01:02:ab:cd:01:02:03:ab:cd:01:02:03:ab:cd:03 | ACTIVE  |
+-------------------------------------------------+---------+

05 Choose the API key that will be used to provide programmatic access (i.e., operational API key), and ensure that your clients and applications use only the chosen key. Test your clients and applications to make sure that the chosen API key is working.

06 Run iam user api-key delete command (OSX/Linux/UNIX) to remove the non-operational API key (other than the one chosen at the previous step), specified by the --fingerprint parameter, from the selected OCI IAM user:

oci iam user api-key delete
	--user-id 'ocid1.user.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--fingerprint '00:01:02:ab:cd:01:02:03:ab:cd:01:02:03:ab:cd:03'

07 Type y (yes) and press Enter to confirm the key removal:

Are you sure you want to delete this resource? [y/N]: y

08 Repeat steps no. 6 and 7 for each non-operational API key that you want to remove from your IAM user.

09 Repeat steps no. 3 - 8 for each IAM user created for your OCI tenancy.