OCI IAM - OCI Command line - Uploading API Keys to User in Default and Custom Domain

In our previous post, we explored how to create users in both the Default domain and a custom domain using the OCI Command Line Interface (CLI). In this article, we will cover another common requirement: uploading an API key to a user (Default and Custom Domain).

While API keys can typically be created and managed through the OCI Console, there are scenarios where CLI becomes essential, such as during API key rotation. In such cases, a new key must be generated and uploaded to the user. Now, imagine performing this task for 100 users. it quickly becomes a time-consuming and error-prone process.

Moreover, API key rotation is often a recurring task in enterprise environments. Fortunately, OCI CLI makes this process simple, efficient, and easily automatable.

In this post we will create a ssh key and upload to a user located in Default and Custom domain.

Creation of SSH Key

For key creation we execute openssl command.

[kmkittu200@19aecd02d604 .oci]$ openssl genrsa   -out "$HOME/.oci/private_key.pem" 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

********************************+++++

**************************************************************************************************************+++++

e is 65537 (0x010001)

[kmkittu200@19aecd02d604 .oci]$ ls -lrt

total 4

-rw-------. 1 kmkittu200 oci 1675  01:42 private_key.pem

 

[kmkittu200@19aecd02d604 .oci]$ openssl rsa -pubout -in "$HOME/.oci/private_key.pem"  -out "$HOME/.oci/public_key.pem"

writing RSA key

[kmkittu200@19aecd02d604 .oci]$ ls -lrt

total 8

-rw-------. 1 kmkittu200 oci 1675 01:42 private_key.pem

-rw-r--r--. 1 kmkittu200 oci  451  01:44 public_key.pem

Upload SSH Key to OCI user (Default domain) as API Key

$ oci iam user api-key upload -i

> oci iam user api-key upload --user-id ocid1.user.oc1..aaaaaaaaavicnqssyaeq6qjljebqygcgckiwscwz2kmcdgrzkf2lnmgr46qa --key-file oci_api_key_public.pem

User-id -> User OCID
key -> Provide public key name, if required provide along with location.

 Output                                                                                                                                                    

{

  "data": {

    "fingerprint": "86:76:fc:18:1f:a6:60:a9:a0:0f:68:d1:7a:77:fa:8c",

    "inactive-status": null,

    "key-id": "ocid1.tenancy.oc1..aaaaaaaap2v6pumkwkwwnvplozuv6gvwvbsy352iluostn2wtpf5kfu7cyva/ocid1.user.oc1..aaaaaaaaavicnqssyaeq6qjljebqygcgckiwscwz2kmcdgrzkf2lnmgr46qa/86:76:fc:18:1f:a6:60:a9:a0:0f:68:d1:7a:77:fa:8c",

    "key-value": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtvMNfT24DJmkSH9Q/WgI\n3/bmGDUFg825nAkI0YAhkDjuFHPaZqvhDfmq89Z/ok3DknEnZTHcicydOGiP1YLy\nRU5xEKzOIlgQloaOMe9oSRu9piN8yJI9JMKynp9tXJTK89m8b0x86FL3+Gfvdt5/\nn6SbnSiEem+Pv5z3HfXcXcPD4KOyI4C+vizSi25kSc4E3KOunKXoB+VdgtyNryi1\nd1mQVtNlT+59PPOiA0eC0HlR+NWphTlZmk3D0dU6xw2Xaul+imvAH+8s3EfesOMY\n3ieDCcd8IVLNWVKovgzvKhy5++gVVDAIG9fwmUMNBszcRsuTsPkSWaAahxwI5tuy\noQIDAQAB\n-----END PUBLIC KEY-----",

    "lifecycle-state": "ACTIVE",

    "time-created": "2025-05-25T00:02:53.523000+00:00",

    "user-id": "ocid1.user.oc1..aaaaaaaaavicnqssyaeq6qjljebqygcgckiwscwz2kmcdgrzkf2lnmgr46qa"

  },

  "etag": "e8e38da1396b46a5bd53141183b7135b"

}

 

Upload SSH Key to OCI user - Custom domain as API Key

For Custom domain the command is different to upload API key.

oci identity-domains api-key create \

  --endpoint "$DOMAIN_ENDPOINT" \

  --domain-ocid "$DOMAIN_OCID" \

  --key "$(cat $PUBLIC_KEY_PATH)" \

  --fingerprint "$FINGERPRINT" \

  --schemas '["urn:ietf:params:scim:schemas:oracle:idcs:ApiKey"]' \

  --user "$(echo "{\"value\":\"$GID\"}")"

 

Endpoint – Domain Regional URL

Domain-ocid – OCID of custom domain.

We can collect both the endpoint and Domain-ocid from the domain details page.

Key – we need to provide content of public key file (not the file name)

Fingerprint – fingerprint of the ssh key that has been created. It can be collected by executing command

openssl rsa -pubin -in <public key file path>" -outform DER 2>/dev/null | openssl dgst -sha1 -binary | xxd -p | tr -d '\n' | sed 's/\(..\)/\1:/g; s/:$//')

Example

openssl rsa -pubin -in "$PUBLIC_KEY_PATH" -outform DER 2>/dev/null | openssl dgst -sha1 -binary | xxd -p | tr -d '\n' | sed 's/\(..\)/\1:/g; s/:$//')

56:e0:85:57:83:ef:ff:bf:5c:6c:78:f7:c2:1e:19:e6

 

GID can be collected using below command.

oci identity-domains user get \

>   --endpoint "<Domain end point>" \

>   --user-id "<user OCID>" \

>   --query 'data.id' \

>   --raw-output

Example

$ oci identity-domains user get \

>   --endpoint "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443" \

>   --user-id "ocid1.user.oc1..aaaaaaaaxvbsoj2bnr4yupvjieyz2c4cm3z2ilnytrxieo5ildb62yazxj5q" \

>   --query 'data.id' \

>   --raw-output

1497be19efd44c42b08a6a6807987a6c

 

Example – Upload API key to user in custom domain

oci identity-domains api-key create \

  --endpoint https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443 \

  --domain-ocid ocid1.domain.oc1..aaaaaaaa27q3n53jny3fgg4ddco3al2uwidthqrf7uhkmfgeopohfjrru6oq \

  --key "$(cat public_key.pem)" \

  --fingerprint "89:96:e2:b2:c2:08:f7:a4:6a:08:77:4a:e7:fb:0e:58:cf:5e:f4:ad" \

  --schemas '["urn:ietf:params:scim:schemas:oracle:idcs:ApiKey"]' \

  --user "$(echo "{\"value\":\"1497be19efd44c42b08a6a6807987a6c\"}")"

 

 

$ oci identity-domains api-key create   --endpoint https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443   --domain-ocid ocid1.domain.oc1..aaaaaaaa27q3n53jny3fgg4ddco3al2uwidthqrf7uhkmfgeopohfjrru6oq   --key "$(cat public_key.pem)"   --fingerprint "89:96:e2:b2:c2:08:f7:a4:6a:08:77:4a:e7:fb:0e:58:cf:5e:f4:ad"   --schemas '["urn:ietf:params:scim:schemas:oracle:idcs:ApiKey"]'   --user "$(echo "{\"value\":\"ocid1.user.oc1..aaaaaaaaxvbsoj2bnr4yupvjieyz2c4cm3z2ilnytrxieo5ildb62yazxj5q\"}")"

ServiceError:

{

[kmkittu200@4c64238e14dc .oci]$ oci identity-domains user get \

>   --endpoint "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443" \

>   --user-id "ocid1.user.oc1..aaaaaaaaxvbsoj2bnr4yupvjieyz2c4cm3z2ilnytrxieo5ildb62yazxj5q" \

>   --query 'data.id' \

>   --raw-output

1497be19efd44c42b08a6a6807987a6c

[kmkittu200@4c64238e14dc .oci]$ oci identity-domains api-key create \

>   --endpoint https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443 \

>   --domain-ocid ocid1.domain.oc1..aaaaaaaa27q3n53jny3fgg4ddco3al2uwidthqrf7uhkmfgeopohfjrru6oq \

>   --key "$(cat public_key.pem)" \

>   --fingerprint "89:96:e2:b2:c2:08:f7:a4:6a:08:77:4a:e7:fb:0e:58:cf:5e:f4:ad" \

>   --schemas '["urn:ietf:params:scim:schemas:oracle:idcs:ApiKey"]' \

>   --user "$(echo "{\"value\":\"1497be19efd44c42b08a6a6807987a6c\"}")"

{

  "data": {

    "compartment-ocid": "ocid1.tenancy.oc1..aaaaaaaacq5gprsqz26em4koaokcntrpey4adi7mzzgve53cm44ozbxa4z4a",

    "delete-in-progress": null,

    "description": null,

    "domain-ocid": "ocid1.domain.oc1..aaaaaaaa27q3n53jny3fgg4ddco3al2uwidthqrf7uhkmfgeopohfjrru6oq",

    "fingerprint": "ad:77:ed:e0:8f:a9:85:cb:f2:26:be:4f:49:a5:ea:7b",

    "id": "785dfb86065940b38949b29bb7c40ee3",

    "idcs-created-by": {

      "display": "Krishnakumar kunka mohanram",

      "ocid": "ocid1.user.oc1..aaaaaaaalgnnlyvdwgzj75nydtw7fng3ol7ihb2gbb3shrcqmz44eykfjrwa",

      "ref": "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443/admin/v1/Users/b355b255db43422d8646f94c35691d14",

      "type": "User",

      "value": "b355b255db43422d8646f94c35691d14"

    },

    "idcs-last-modified-by": {

      "display": "Krishnakumar kunka mohanram",

      "ocid": "ocid1.user.oc1..aaaaaaaalgnnlyvdwgzj75nydtw7fng3ol7ihb2gbb3shrcqmz44eykfjrwa",

      "ref": "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443/admin/v1/Users/b355b255db43422d8646f94c35691d14",

      "type": "User",

      "value": "b355b255db43422d8646f94c35691d14"

    },

    "idcs-last-upgraded-in-release": null,

    "idcs-prevented-operations": null,

    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAubtIqQfXFqCsi93SEFUi\nFK1aMzw5W6vk6zR3Douka+L8VKEtK968J+Wa/0FJxVtz/Q0uTBI7h1JaYsEahnF4\nzY4ideWFmTdzge0jALDJJ0DVRk/jx3t2H55OAWbIq/oTgN6FmwUK8GgT8XLouPns\nZ+WrwYd1i6PE23WQeF6Qny736XG5gsjDxZxB7k5lj4BHDe8fqchClsN/e2Y3wV6c\nc52vo0/EOy9wyl5mLEuhCDKS+93NL1lw0BnApYJ05kXk8rdFECwRYSZpYiapOj4X\nlUhVv8lISVtxe9Zqiu9zUlK6VSlyfbkJlbT8mqUQCNOEOfAsdU0X1s6VgagvO5oB\nHQIDAQAB\n-----END PUBLIC KEY-----",

    "meta": {

      "created": "2025-07-20T02:53:46.957Z",

      "last-modified": "2025-07-20T02:53:46.957Z",

      "location": "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443/admin/v1/ApiKeys/785dfb86065940b38949b29bb7c40ee3",

      "resource-type": "ApiKey",

      "version": "4c76dc3ed3eb4110be1a60de719b8d5c"

    },

    "ocid": "ocid1.credential.oc1..aaaaaaaa6e742z5axbbcjpast7xwp2ervjknxydz6fexdvb5izubve2nqqpq",

    "schemas": [

      "urn:ietf:params:scim:schemas:oracle:idcs:apikey"

    ],

    "tags": null,

    "tenancy-ocid": "ocid1.tenancy.oc1..aaaaaaaacq5gprsqz26em4koaokcntrpey4adi7mzzgve53cm44ozbxa4z4a",

    "urn-ietf-params-scim-schemas-oracle-idcs-extension-self-change-user": null,

    "user": {

      "display": "customuser",

      "name": "customeruser@example.com",

      "ocid": "ocid1.user.oc1..aaaaaaaaxvbsoj2bnr4yupvjieyz2c4cm3z2ilnytrxieo5ildb62yazxj5q",

      "ref": "https://idcs-53b3e3f1482c4403b98adde9ce8d09c0.us-ashburn-idcs-1.identity.us-ashburn-1.oci.oraclecloud.com:443/admin/v1/Users/1497be19efd44c42b08a6a6807987a6c",

      "value": "1497be19efd44c42b08a6a6807987a6c"

    }

  },

  "etag": "4c76dc3ed3eb4110be1a60de719b8d5c",

  "opc-total-items": "1"

}

[kmkittu200@4c64238e14dc .oci]$