search

oracle / oci-cli

Command Line Interface for Oracle Cloud Infrastructure
https://cloud.oracle.com/cloud-infrastructure
Other
432 stars 183 forks source link

"oci session authenticate" user experience is confusing #460

Open forana opened 2 years ago

forana commented 2 years ago

I followed these instructions: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm

I authenticated successfully, and oci session validate succeeds. However, any API interaction results in the error:

ERROR: The config file at ~/.oci/config is invalid:

+Config Errors---+----------------------------------------------------------------------------+
| Key  | Error   | Hint                                                                       |
+------+---------+----------------------------------------------------------------------------+
| user | missing | log into the console and go to the user's settings page to find their OCID |
+------+---------+----------------------------------------------------------------------------+

The user key is indeed missing from ~/.oci/config. Running oci session refresh did not add it.

There are a total of two google results for this error, and neither were useful - opened this issue to hopefully get this resolved, and add a google result for anyone else who hit this. After figuring out how to find my OCID from the console and adding it manually to ~/.oci/config, then trying an API interaction, I got a new error message:

WARNING: The active profile contains a value for 'security_token_file' which is not being used. To authenticate using the token, specify --auth security_token

This showed me that I had misunderstood the instructions at the bottom, where the --auth security_token parameter was mentioned as necessary for all CLI interactions using this auth. This was a confusing experience because page reads like two alternatives - authenticating with a browser and without. I chose the former, and proceeded to the next page of instructions - missing that critical step.

Several suggestions for resolving this:

  1. Make it extremely clear in the docs that that parameter is required.
  2. For that error message case, if security_token_file is present in the profile, include an additional (did you forgot to pass '--auth security_token'?) message (or something like that).
  3. Add a configuration option that has the same effect as --auth security_token, and set that when a profile is created using oci session validate.
zalewma commented 2 years ago

I'm struggling with the same. When running oci session authenticate, configured profile doesn't create useruser = ocid1.user.oc1..aaaXXX I wanted to use OCI session only once for creating API Key for the same user in pragmatic way. Without this field I don't know about user OCID and --user-id argument can't be provided automatically for the

oci --config-file ~/.oci/sso-config --profile SSO --auth security_token iam user api-key upload --user-id <MISSING ID> --key-file ~/.oci/id_rsa.pub

Is it possible to add this user OCID during session authenticate?

davidkhala commented 2 years ago

I have been suffering from the exact same experience, my workaround is to use oci setup config and forget about oci session

harshkumar-dev commented 2 years ago

When you run: "oci session authenticate" it shows you an example about how to run a command using --auth security_token and correct profile.

doc has "Validating a Token" https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/clitoken.htm oci session validate --config-file --profile --auth security_token

which also mentions --auth security_token.

session based auth doesn't need user ocid.

b-dean commented 2 years ago

to add on to what @harshkumar-dev, you can also set an environment variable (@forana maybe put it in your ~/.bashrc)

export OCI_CLI_AUTH=security_token

It would be really nice if oci session authenticate would just write authentication_type=security_token in the profile in ~/.oci/config when it is writing security_token_file and all the other things that only work for auth type security_token.

but unfortunately the oci python sdk doesn't support authentication_type of security_token in the config https://github.com/oracle/oci-python-sdk/blob/60f042354caef47ce0008b9969962ff3481d91c1/src/oci/util.py#L29-L33 https://github.com/oracle/oci-python-sdk/blob/60f042354caef47ce0008b9969962ff3481d91c1/src/oci/util.py#L212-L224

romkhub commented 1 year ago

Also it doesn't seem to honor --token-location arg just at all. I have several versions of OCI CLI and python, and am trying to scope all the work dedicated to a specific env within a dedicated folder (via pyenv-virtualenv, direnv, etc.) - I'm not able to do this as every time I'm running oci session authenticate it creates ~/.oci and drops tokens there. It also doesn't seem to honor OCI_CLI_CONFIG_FILE env var, but at least --config-location arg works. Tried this with oci cli version 3.30.1 today.

mjudeikis commented 3 months ago

Just your friendly developers reporting this is still an issue in 2024 and this is still the best place to find the answer :D

pavanksanthosh commented 1 week ago

You can log in to the OCI consode and find out the user ocid, then you can add it in your .oci/config file under the relevant profile. That should work fine.

TornadoRadon commented 5 days ago

This is still a problem. Setup process is so confusing, even if you do exactly what documentation said, you will get the same error again and again :disappointed:

karthik-k-kamath commented 5 days ago

Thanks all for sharing your views. CLI team will relook at all proposed suggestions and get back here