Back to the main page

OCI Vault service


The OCI Vault can manage both keys and secrets.

One of common use case is to retrieve a secret from Vault in order to access a resource. Additionally, an applications can be designed to cache a secret and use it as long as it's needed.


Create Vault

Burger menu - Security - Vault

Create Key

In the Vault, create a key that will be used to protect your secrets.

Create Secret

Finally create secrets, with one or more versions (if secret is to be rotated).


Find a secret (or password)

For those who has access rights, the secret's content can be seen via OCI Console, or using oci command, or Python SDK.

Use a secret (password) in a script or application

But the more useful use case is getting a secret from the Vault and using it in a script or application. Ex, this oci command (adding sed and base64) can be used to read secret named "well_known_root_password". You must know secret OCID.
$ oci secrets secret-bundle get --secret-id=ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca \
  --query 'data."secret-bundle-content".content' | sed 's/"//g' | base64 -d

This code can be used in other scripts that require usage of this password. In case of password rotation (or setup new one), no change is needed in script/application, since above code returns the current (valid) password.

Similarly, this can be used to SSH as root into a host (zdudic-host). The sshpass (noninteractive ssh password provider) runs SSH using the mode "keyboard-interactive" password authentication, but as non-interactive!
$ sshpass -p \
> `oci secrets secret-bundle get --secret-id=ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca \
> --query 'data."secret-bundle-content".content' | sed 's/"//g' | base64 -d` \
> ssh root@zdudic-host
Last login: Wed Apr  8 17:15:32 2020 from dhcp-xxx
[root@zdudic-host ~]#


This is short Python3 script to read a secret (password) by querying a Vault and using secret's OCID. Again, this code can be used by other tools, or function inside other scripts.

If OCI config file and profile are not default values, you can provide values for your case.
$ -h
usage: [-h] -s SECRET_ID [-c CONFIG] [-p PROFILE]
Read OCI secret
optional arguments:
  -h, --help            show this help message and exit
  -s SECRET_ID, --secret_id SECRET_ID
                        OCI secret ID
  -c CONFIG, --config CONFIG
                        OCI config file, default is ~/.oci/config
  -p PROFILE, --profile PROFILE
                        Config profile, default is DEFAULT

$ -s ocid1.vaultsecret.oc1.iad.amayzvoveqahzqpzagexotmoinw6rkfkyy5a7zgo2r2xzyvu2xizlca

The code:
import os
import sys
import oci
import base64
import argparse
parser = argparse.ArgumentParser(
         description="Read OCI secret")
parser.add_argument("-s", "--secret_id", help="OCI secret ID", required=True)
parser.add_argument("-c", "--config", help="OCI config file, default is ~/.oci/config", default="~/.oci/config")
parser.add_argument("-p", "--profile", help="Config profile, default is DEFAULT", default="DEFAULT")
args = parser.parse_args()
ociconfig = oci.config.from_file(config, profile)
    secret_client = oci.secrets.SecretsClient(ociconfig)
    response = secret_client.get_secret_bundle(secret_id)
    base64_Secret_content =
    base64_secret_bytes = base64_Secret_content.encode('ascii')
    base64_message_bytes = base64.b64decode(base64_secret_bytes)
    secret_content = base64_message_bytes.decode('ascii')
except oci.exceptions.ConfigFileNotFound:
    sys.exit("oci.exceptions.ConfigFileNotFound: {0}")
except oci.exceptions.ProfileNotFound:
    sys.exit("oci.exceptions.ProfileNotFound: {0}")
    sys.exit("Cannot get secret " + args.secret_id)

Back to the main page