OCI IAM – OCI Command Line - User Creation (Default and Custom Domain)

One of the major pillars of Oracle Cloud Infrastructure is Identity Management (IAM). It defines the user access, roles and privileges on OCI resources. It must be robust and adhere the security standards. OCI IAM includes Domains, Network sources, Policies and compartments. One of the important resources in IAM is Users.

In this article we are going to discuss how to create OCI users through command line and how to upload API keys through command line.

We may get doubt that why do we need command line when we have GUI option? Its commonly asked valid question. When we perform via GUI, we need to go to portal, complete the authentication and click the icons and links to create user and upload keys. But when it is done through OCI CLI, it has been automated and can be executed quickly and also can be used for creating multiple users. In GUI we need to repeat same steps for every user which might be a time consuming one.

This article talks about user creation through command line. In OCI IAM comes with domains. Every tenancy will have default domain and option to add more domains. User creation through oci command line differs between default and customer created domains. We discuss in detail with example.

User creation in default domain

$ oci iam user create -i à Try with -i option, it will give all the available options with create command.

> oci iam user create --name ociuser --description "user for oci workloads" --email ociuser@gmail.com                                                

{

  "data": {

    "capabilities": {

      "can-use-api-keys": true,

      "can-use-auth-tokens": true,

      "can-use-console-password": true,

      "can-use-customer-secret-keys": true,

      "can-use-db-credentials": true,

      "can-use-o-auth2-client-credentials": true,

      "can-use-smtp-credentials": true

    },

    "compartment-id": "ocid1.tenancy.oc1..aaaaaaaap2v6pumkwkwwnvploza",

    "db-user-name": null,

    "defined-tags": {

      "Oracle-Tags": {

        "CreatedBy": "default/kmkittu2005@gmail.com",

        "CreatedOn": "2025-05-24T23:59:54.038Z"

      }

    },

    "description": "user for oci workloads",

    "email": "ociuser@gmail.com",

    "email-verified": false,

    "external-identifier": "6f54261a6a0843eea50f54a7e2367a66",

    "freeform-tags": {},

    "id": "ocid1.user.oc1..aaaaaaaaavicnqssyaeq6qjljebqygcgcki",

    "identity-provider-id": null,

    "inactive-status": null,

    "is-mfa-activated": false,

    "last-successful-login-time": null,

    "lifecycle-state": "ACTIVE",

    "name": "ociuser",

    "previous-successful-login-time": null,

    "time-created": "2025-05-24T23:59:54.110000+00:00"

  },

  "etag": "94b7ae93e56640ce848be8cb3c66ed55"

}

kmkittu200@codeeditor:~ (us-phoenix-1)$

User creation in Custom domain

Now lets try to create a user in custom domain. Here the command is different, we can’t use oci iam command. We should use oci identity-domains  command.

We already have a domain called ‘test’. Lets create user in test domain.

Syntax:
oci identity-domains user create

--domain-ocid  <domain ocid>

--user-name <username>

--display-name <user display name>

--schemas '["urn:ietf:params:scim:schemas:core:2.0:User"]' à default value

--name '{"givenName":"<first-name>","familyName":"<last-name>"}'

--emails '[{"value":"ociuser@gmail.com",”type:<type of workload>,"primary":true}]'

--endpoint <Regional endpoint>

 

Domain-ocid can be collected from domain details page.

Username – the actual username

Display name – the user name displayed in the banner. Its for our understanding.

Schemas – This parameter is part of the SCIM (System for Cross-domain Identity Management) standard. It tells the Identity Domain API what kind of resource you're creating and which schema it follows. The default value denotes that we are creating SCIM User object using the core user schema defined by SCIM 2.0. SCIM compliance is mandatory, since OCI Identity Domains are based on IDCS (Oracle Identity Cloud Service) which is SCIM-compliant.

Name – Having first and last name values.
emails – it needs not only email and also requires type of email (“work”,”home” or “other”). We can define multiple emails for the user. We need to specify which email id is primary.
endpoint – its regional endpoint of domain. It can be collected from domain details page.

 

Example:

$ oci identity-domains user create \

> --domain-ocid ocid1.domain.oc1..aaaaaaaabn6436zhyo34dfj4ttgyscssk2joc3w37ghdtbpa625pclq4behq \

> --user-name "ociuser.test " \

> --display-name "ociuser test" \

> --schemas '["urn:ietf:params:scim:schemas:core:2.0:User"]' \

> --name '{"givenName":"ociuser","familyName":"test"}' \

> --emails '[{"value":"ociuser@gmail.com","type":"work","primary":true}]' \

> --endpoint https://idcs-7b841dd4db2147d389ea8ca2d93be8f3.us-phoenix-idcs-3.identity.us-phoenix-1.oci.oraclecloud.com:443

{

  "data": {

    "active": true,

    "addresses": null,

    "compartment-ocid": "ocid1.tenancy.oc1..aaaaaaaap2v6pumkwkwwnvplozuv6gvwvbsy352iluostn2wtpf5kfu7cyva",

    "delete-in-progress": null,

    "description": null,

    "display-name": "ociuser test",

    "domain-ocid": "ocid1.domain.oc1..aaaaaaaabn6436zhyo34dfj4ttgyscssk2joc3w37ghdtbpa625pclq4behq",

    "emails": [

      {

        "pending-verification-data": null,

        "primary": false,

        "secondary": false,

        "type": "recovery",

        "value": "ociuser@gmail.com",

        "verified": false

      },

      {

        "pending-verification-data": null,

        "primary": true,

        "secondary": false,

        "type": "work",

        "value": "ociuser@gmail.com",

        "verified": false

      }

    ],

    "entitlements": null,

    "external-id": null,

    "groups": null,

    "id": "d36b61edced74a92af6783cde547d5e7",

    "idcs-created-by": {

      "display": "Krishnakumar Mohanram",

      "ocid": "ocid1.user.oc1..aaaaaaaanswicp4lg4zx3qnql3yoiyhu6r",

      "ref": "https://idcs-7b841dd4db2147d389ea8ca2d93be8f3.us-phoenix-idcs-3.identity.us-phoenix-1.oci.oraclecloud.com:443/admin/v1/Users/6a6d4c9e3d914a71a6d4095076554a99",

      "type": "User",

      "value": "6a6d4c9e3d914a71a6d4095076554a99"

    },

    "idcs-last-modified-by": {

      "display": "Krishnakumar Mohanram",

      "ocid": "ocid1.user.oc1..aaaaaaaanswicp4lg4zx3qnql3yoiyhu6raa",

      "ref": "https://idcs-7b841dd4db2147d389ea8ca2d93be8f3.us-phoenix-idcs-3.identity.us-phoenix-1.oci.oraclecloud.com:443/admin/v1/Users/6a6d4c9e3d914a71a6d4095076554a99",

      "type": "User",

      "value": "6a6d4c9e3d914a71a6d4095076554a99"

    },

    "idcs-last-upgraded-in-release": null,

    "idcs-prevented-operations": null,

    "ims": null,

    "locale": null,

    "meta": {

      "created": "2025-05-25T00:13:59.366Z",

      "last-modified": "2025-05-25T00:13:59.366Z",

      "location": "https://idcs-7b841dd4db2147d389ea8ca2d93be8f3.us-phoenix-idcs-3.identity.us-phoenix-1.oci.oraclecloud.com:443/admin/v1/Users/d36b61edced74a92af6783cde547d5e7",

      "resource-type": "User",

      "version": "6eda118f39504260bd5ad4f307e93c59"

    },

    "name": {

      "family-name": "test",

      "formatted": "ociuser test",

      "given-name": "ociuser",

      "honorific-prefix": null,

      "honorific-suffix": null,

      "middle-name": null

    },

    "nick-name": null,

    "ocid": "ocid1.user.oc1..aaaaaaaas3gmm2a444r7l6rnavvp5rrq",

    "password": null,

    "phone-numbers": null,

    "photos": null,

    "preferred-language": null,

    "profile-url": null,

    "roles": null,

    "schemas": [

      "urn:ietf:params:scim:schemas:core:2.0:User",

      "urn:ietf:params:scim:schemas:oracle:idcs:extension:userState:User",

      "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags",

      "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User"

    ],

    "tags": null,

    "tenancy-ocid": "ocid1.tenancy.oc1..aaaaaaaap2v6pumkwabcs",

    "timezone": null,

    "title": null,

    "urn-ietf-params-scim-schemas-extension-enterprise2-0-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-adaptive-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-capabilities-user": {

      "can-use-api-keys": true,

      "can-use-auth-tokens": true,

      "can-use-console": null,

      "can-use-console-password": true,

      "can-use-customer-secret-keys": true,

      "can-use-db-credentials": true,

      "can-use-o-auth2-client-credentials": true,

      "can-use-smtp-credentials": true

    },

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-db-credentials-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-db-user-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-kerberos-user-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-mfa-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-oci-tags": {

      "defined-tags": [

        {

          "key": "CreatedBy",

          "namespace": "Oracle-Tags",

          "value": "default/kmkittu2005@gmail.com"

        },

        {

          "key": "CreatedOn",

          "namespace": "Oracle-Tags",

          "value": "2025-05-25T00:13:59.282Z"

        }

      ],

      "freeform-tags": null,

      "tag-slug": null

    },

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-password-state-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-passwordless-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-posix-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-security-questions-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-self-change-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-self-registration-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-sff-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-social-account-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-terms-of-use-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-user-credentials-user": null,

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-user-state-user": {

      "last-failed-login-date": null,

      "last-successful-login-date": null,

      "locked": {

        "expired": null,

        "lock-date": null,

        "on": false,

        "reason": null

      },

      "login-attempts": null,

      "max-concurrent-sessions": null,

      "previous-successful-login-date": null,

      "recovery-attempts": null,

      "recovery-enroll-attempts": null,

      "recovery-locked": null

    },

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-user-user": {

      "account-recovery-required": null,

      "accounts": null,

      "app-roles": null,

      "applicable-authentication-target-app": null,

      "bypass-notification": null,

      "creation-mechanism": null,

      "delegated-authentication-target-app": null,

      "do-not-show-getting-started": null,

      "grants": null,

      "group-membership-last-modified": null,

      "idcs-app-roles-limited-to-groups": null,

      "is-account-recovery-enrolled": null,

      "is-authentication-delegated": null,

      "is-federated-user": false,

      "is-group-membership-normalized": null,

      "is-group-membership-synced-to-users-groups": null,

      "notification-email-template-id": null,

      "preferred-ui-landing-page": "MyApps",

      "provider": null,

      "service-user": null,

      "status": null,

      "support-accounts": null,

      "synced-from-app": null,

      "user-flow-controlled-by-external-client": null,

      "user-token": null

    },

    "user-name": "ociuser.test",

    "user-type": null,

    "x509-certificates": null

  },

  "etag": "6eda118f39504260bd5ad4f307e93c59",

  "opc-next-page": "MQ==",

  "opc-total-items": "1"

}

kmkittu200@codeeditor:~ (us-phoenix-1)$