Skip to content

Support OCI Vault integration using Instance Principals #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
anilmoris opened this issue May 5, 2025 · 5 comments
Open

Support OCI Vault integration using Instance Principals #226

anilmoris opened this issue May 5, 2025 · 5 comments

Comments

@anilmoris
Copy link

I’m trying to configure the Oracle DB Observability Exporter (v1.6.0) to retrieve the database password from OCI Vault using Instance Principals.

I am passing
OCI_VAULT_ID
OCI_VAULT_SECRET_NAME

I am seeing this error

time=2025-05-02T11:13:16.538Z level=INFO  source=main.go:75 msg="OCI_VAULT_ID env var is present so using OCI Vault" vaultOCID=ocid1.vault.oc1.phx...
2025/05/02 11:13:16 can not create client, bad configuration: did not find a proper configuration for tenancy

Expected behavior:
The exporter should detect and use the instance principal (no local config file), retrieve the secret from OCI Vault, and connect to the database without requiring a wallet or ~/.oci/config.

Actual current behavior:
It fails with did not find a proper configuration for tenancy even though instance principal is enabled.

a local ~/.oci/config is not needed when using Instance Principals.
@markxnelson
Copy link
Member

Hi @anilmoris - thanks for your suggestion, we will add this to the roadmap.

@anders-swanson
Copy link
Member

As part of this fix, I'm going to add workload identity (OKE) as well 👍

@andycoates
Copy link

andycoates commented May 29, 2025
edited
Loading

Could you ensure the updated Vault auth support also works with the new multi-db config? Assuming similar config, I'd picture something like

vault_auth:
  oci:
    type: instance_principal
  azure: ...
  gcp: ....
  aws: ....

(Edit: I saw the new config for Vault is actually in the multi-db config - just not in the example file)

Also something to think about - I think wallets are also a pain to manage - could there be an option to fetch the wallet from Vault too?

@anders-swanson
Copy link
Member

Hi @andycoates OCI Vault and AZ Vault are currently supported in multi-database:
https://github.com/oracle/oracle-db-appdev-monitoring?tab=readme-ov-file#using-oci-vault

You can connect each database to a different vault. We've yet to implement additional auth mechanisms like instance principal, or support for GCP/AWS, but these are on our roadmap.

@markxnelson
Copy link
Member

fyi @anders-swanson the AZ vault impl does work with their equivalent of instance principal already

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andycoates @anilmoris @markxnelson @anders-swanson