Overview
This guide explains how to connect your Oracle Cloud Infrastructure (OCI) account to Uniskai manually, through the OCI Console, granting read-write access. You create an IAM group, an API-only service user, group membership, and two policies that Uniskai reads. With read-write access, Uniskai can both observe your cost and inventory and take optimization actions (for example, stop or resize resources).
Use the manual setup if you cannot use the automatic setup script (for example, you have no Cloud Shell / CLI access) or your organization requires changes to go through the Console.
How it works
Uniskai connects to your tenancy as a dedicated service user that belongs to a group. All permissions are granted to the group, and two policies define what that group can do:
CUR policy — cross-tenancy read access to Oracle's Cost & Usage Reports.
Platform policy — in-tenancy read access to the managed resource families plus use access to the specific resource types Uniskai operates on (compute instances and database nodes), and IAM inspect grants that let Uniskai verify the permissions were applied.
The objects created during this setup:
Resource | Name | Purpose |
Group | uniskai-group | Holds the service user; all permissions are granted to this group. |
User | uniskai-service-user | API-only service identity Uniskai authenticates as. |
Membership | user → group | Makes the user inherit the group's grants. |
Policy | uniskai-cur-policy | Cross-tenancy read access to Oracle's Cost & Usage Reports. |
Policy | uniskai-policy | In-tenancy manage access + IAM |
Prerequisites
Before you start:
You sign in as a tenancy administrator (member of Administrators), or have equivalent rights to manage groups, users, and root-compartment policies.
All steps are performed in the Default identity domain (Console → Identity & Security → Domains → Default domain). If your tenancy uses multiple domains, use the one you intend to onboard.
Step 1 — Create the group uniskai-group
Go to Identity & Security → Domains → Default domain → User management.
Scroll down to the Groups section and click Create group.
Name: uniskai-group
Description: Uniskai FinOps platform service group — read-write access to cost reports and resource families, scoped per least privilege
Leave members empty for now and click Create.
Step 2 — Create the service user uniskai-service-user
In the same domain, go to Users → Create user.
Uncheck "Use the email address as the username" (this is a service identity, not a person).
Username: uniskai-service-user
First name / Last name: e.g. Uniskai / Service (any value; the form requires it).
Email: [email protected]
Do not assign the user to any group on this screen — click Create.
Step 3 — Restrict the user to API keys only
A service identity should not be able to sign in to the Console or use any credential type other than API signing keys.
Open the new user's detail page and click Edit user capabilities (or open the User capabilities panel).
Enable only: API keys.
Disable everything else.
Click Save changes.
Step 4 — Add the user to the group
On the user's page, go to Groups → Add user to group (or open Groups → uniskai-group → Assigned users → Assign users to group).
Select "uniskai-service" (user name) and click Add.
Step 5 — Create the CUR policy uniskai-cur-policy
This is a cross-tenancy policy that lets uniskai-group read Oracle's Cost & Usage Reports bucket. It must be created in the root compartment (the tenancy). Billing data is read-only regardless of access level, so this policy is identical to the read-only setup.
Go to Identity&Security→Domains→ Policies.
In the Compartment picker (left), select the root compartment (your tenancy name, at the top of the list).
Click Create policy.
Name: uniskai-cur-policy
Description: Grants uniskai-group cross-tenancy read access to Oracle-owned Cost & Usage Reports bucket
Toggle Show manual editor and paste these two statements exactly:
define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group uniskai-group to read objects in tenancy usage-reportClick Create.
Note: The define line names Oracle's reporting tenancy. The OCID shown is the fixed Oracle-owned value — do not replace it with your own tenancy OCID.
Step 6 — Create the platform policy uniskai-policy
Also created in the root compartment (the tenancy). It contains two kinds of statements:
Verification — inspect only grants that let Uniskai read your IAM back and confirm the permissions were applied. These access no resources or data.
Access — the actual read-write permissions Uniskai uses: read the Cost & Usage Reports in your tenancy, read each managed resource family, and use the specific resource types Uniskai operates on (compute instances and database nodes).
Go to Identity & Security → Policies, with the root compartment selected (as in Step 5).
Click Create policy.
Name: uniskai-policy
Description: Grants uniskai-group read-write access to OCI resource families scoped to the minimum verb per type (least privilege) and read access to usage reports, plus IAM inspect for permission verification
Toggle Show manual editor and paste all of the following statements:
Allow group uniskai-group to read usage-report in tenancy
Allow group uniskai-group to use instances in tenancy
Allow group uniskai-group to use db-nodes in tenancy
Allow group uniskai-group to read instance-family in tenancy
Allow group uniskai-group to read database-family in tenancy
Allow group uniskai-group to read autonomous-database-family in tenancy
Allow group uniskai-group to read virtual-network-family in tenancy
Allow group uniskai-group to read volume-family in tenancy
Allow group uniskai-group to read object-family in tenancy
Allow group uniskai-group to read file-family in tenancy
Allow group uniskai-group to read cluster-family in tenancy
Allow group uniskai-group to read functions-family in tenancy
Allow group uniskai-group to read load-balancers in tenancy
Allow group uniskai-group to read network-load-balancers in tenancy
Allow group uniskai-group to read nosql-family in tenancy
Allow group uniskai-group to read redis-family in tenancyClick Create.
Note: Grant the resource families for read access exactly as written (e.g. instance-family), not individual resource types. Uniskai's verifier only credits family-level grants for read, so individual types would fail that check. The two use statements are the exception — they intentionally target the specific resource types instances and db-nodes that Uniskai acts on, and must be entered exactly as written.
Note: Already onboarded with an older policy? Open the existing uniskai-policy (or uniskai-cur-policy), choose Edit policy statements, and replace the contents with the lists above so they match exactly.
Step 7 — Create the API signing key
OCI does not generate the API signing key automatically— OCI displays the generated private key only once, so you generate and download it yourself.
In the Console, go to Identity & Security → Domains → Default domain → Users and open uniskai-service-user.
In the left panel under Resources, click API keys (may appear under Tokens and keys).
Click Add API key.
Choose Generate API key pair.
Click Download private key and save the
.pemsomewhere safe — this is the only time OCI shows it. (You may download the public key too; it is optional.)Click Add.
A Configuration file preview dialog appears. It contains the user OCID, fingerprint, tenancy OCID, and region. Click Copy to copy the whole configuration file — you will provide it to Uniskai in Step 8.
Step 8 — Hand these to Uniskai
Go back to the Uniskai Oracle connection screen you opened in Step 1. Then introduce the list:
Provide the following to Uniskai:
You don't need to collect each value separately — the configuration file you copied in Step 7 already contains them. Provide to Uniskai:
The configuration file copied in Step 7 (it includes the user OCID, fingerprint, tenancy OCID, and region).
The private key (.pem) downloaded in Step 7.
Uniskai reads the values from the configuration file and runs the credentials check.
Results
After completing the steps:
uniskai-group, uniskai-service-user, the group membership, and the two policies (uniskai-cur-policy, uniskai-policy) exist in your tenancy.
Uniskai authenticates as the service user and has read-write access — read across the managed resource families, use access on the resource types it operates on, and read access to the cost and usage reports.
Once you hand over the values from Step 8, Uniskai runs a credentials check during onboarding to confirm the grant.
Key notes / limitations
Both policies must live in the root compartment (the tenancy). Creating them in a sub-compartment will fail the check.
Grant families for read access, not individual resource types. Uniskai's verifier only credits family-level grants for read (e.g. instance-family, not instances). The use instances and use db-nodes grants intentionally target individual resource types — keep those exactly as written too.
The Oracle reporting-tenancy OCID is fixed. In Step 5, do not replace it with your own tenancy OCID.
The private key is shown only once. Download and store it securely in Step 7.
Consider rewording, since this is a manual setup guide. The emphasis should be on updating/editing the existing policies rather than re-running.
Verifying it worked
Uniskai's credentials check, run during onboarding, confirms that uniskai-group grants at least read on all managed resource families and that the IAM inspect statements allow it to read your policies. If the check reports missing permissions, re-confirm that the Step 6 statements match the list above verbatim (read families plus the two use statements) and that both policies live in the root compartment.




















