Skip to main content

Connecting an Oracle (OCI) Account — Manual Setup (Read/Write)

Learn how to connect read-write Oracle Account Manully to the Uniskai

Overview

This guide explains how to connect your Oracle Cloud Infrastructure (OCI) account to Uniskai manually, through the OCI Console, granting read-write access. You create an IAM group, an API-only service user, group membership, and two policies that Uniskai reads. With read-write access, Uniskai can both observe your cost and inventory and take optimization actions (for example, stop or resize resources).

Use the manual setup if you cannot use the automatic setup script (for example, you have no Cloud Shell / CLI access) or your organization requires changes to go through the Console.

How it works

Uniskai connects to your tenancy as a dedicated service user that belongs to a group. All permissions are granted to the group, and two policies define what that group can do:

  • CUR policy — cross-tenancy read access to Oracle's Cost & Usage Reports.

  • Platform policy — in-tenancy read access to the managed resource families plus use access to the specific resource types Uniskai operates on (compute instances and database nodes), and IAM inspect grants that let Uniskai verify the permissions were applied.

The objects created during this setup:

Resource

Name

Purpose

Group

uniskai-group

Holds the service user; all permissions are granted to this group.

User

uniskai-service-user

API-only service identity Uniskai authenticates as.

Membership

user → group

Makes the user inherit the group's grants.

Policy

uniskai-cur-policy

Cross-tenancy read access to Oracle's Cost & Usage Reports.

Policy

uniskai-policy

In-tenancy manage access + IAM inspect for verification.

Prerequisites

Before you start:

  • You sign in as a tenancy administrator (member of Administrators), or have equivalent rights to manage groups, users, and root-compartment policies.

  • All steps are performed in the Default identity domain (Console → Identity & Security → Domains → Default domain). If your tenancy uses multiple domains, use the one you intend to onboard.

Step 1 — Create the group uniskai-group

  1. Go to Identity & Security → Domains → Default domain → User management.

    Scroll down to the Groups section and click Create group.

  2. Name: uniskai-group

  3. Description: Uniskai FinOps platform service group — read-write access to cost reports and resource families, scoped per least privilege

  4. Leave members empty for now and click Create.

Step 2 — Create the service user uniskai-service-user

  1. In the same domain, go to Users → Create user.

  2. Uncheck "Use the email address as the username" (this is a service identity, not a person).

  3. Username: uniskai-service-user

  4. First name / Last name: e.g. Uniskai / Service (any value; the form requires it).

  5. Do not assign the user to any group on this screen — click Create.

Step 3 — Restrict the user to API keys only

A service identity should not be able to sign in to the Console or use any credential type other than API signing keys.

  1. Open the new user's detail page and click Edit user capabilities (or open the User capabilities panel).

  2. Enable only: API keys.

  3. Disable everything else.

  4. Click Save changes.

Step 4 — Add the user to the group

  1. On the user's page, go to Groups → Add user to group (or open Groups → uniskai-group → Assigned users → Assign users to group).

  2. Select "uniskai-service" (user name) and click Add.

Step 5 — Create the CUR policy uniskai-cur-policy

This is a cross-tenancy policy that lets uniskai-group read Oracle's Cost & Usage Reports bucket. It must be created in the root compartment (the tenancy). Billing data is read-only regardless of access level, so this policy is identical to the read-only setup.

  1. Go to Identity&Security→Domains→ Policies.

  2. In the Compartment picker (left), select the root compartment (your tenancy name, at the top of the list).

  3. Click Create policy.

  4. Name: uniskai-cur-policy

  5. Description: Grants uniskai-group cross-tenancy read access to Oracle-owned Cost & Usage Reports bucket

  6. Toggle Show manual editor and paste these two statements exactly:

    define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq 
    endorse group uniskai-group to read objects in tenancy usage-report
  7. Click Create.

Note: The define line names Oracle's reporting tenancy. The OCID shown is the fixed Oracle-owned value — do not replace it with your own tenancy OCID.

Step 6 — Create the platform policy uniskai-policy

Also created in the root compartment (the tenancy). It contains two kinds of statements:

  • Verificationinspect only grants that let Uniskai read your IAM back and confirm the permissions were applied. These access no resources or data.

  • Access — the actual read-write permissions Uniskai uses: read the Cost & Usage Reports in your tenancy, read each managed resource family, and use the specific resource types Uniskai operates on (compute instances and database nodes).

  1. Go to Identity & Security → Policies, with the root compartment selected (as in Step 5).

  2. Click Create policy.

  3. Name: uniskai-policy

  4. Description: Grants uniskai-group read-write access to OCI resource families scoped to the minimum verb per type (least privilege) and read access to usage reports, plus IAM inspect for permission verification

  5. Toggle Show manual editor and paste all of the following statements:

    Allow group uniskai-group to read usage-report in tenancy
    Allow group uniskai-group to use instances in tenancy
    Allow group uniskai-group to use db-nodes in tenancy
    Allow group uniskai-group to read instance-family in tenancy
    Allow group uniskai-group to read database-family in tenancy
    Allow group uniskai-group to read autonomous-database-family in tenancy
    Allow group uniskai-group to read virtual-network-family in tenancy
    Allow group uniskai-group to read volume-family in tenancy
    Allow group uniskai-group to read object-family in tenancy
    Allow group uniskai-group to read file-family in tenancy
    Allow group uniskai-group to read cluster-family in tenancy
    Allow group uniskai-group to read functions-family in tenancy
    Allow group uniskai-group to read load-balancers in tenancy
    Allow group uniskai-group to read network-load-balancers in tenancy
    Allow group uniskai-group to read nosql-family in tenancy
    Allow group uniskai-group to read redis-family in tenancy
  6. Click Create.

  • Note: Grant the resource families for read access exactly as written (e.g. instance-family), not individual resource types. Uniskai's verifier only credits family-level grants for read, so individual types would fail that check. The two use statements are the exception — they intentionally target the specific resource types instances and db-nodes that Uniskai acts on, and must be entered exactly as written.

  • Note: Already onboarded with an older policy? Open the existing uniskai-policy (or uniskai-cur-policy), choose Edit policy statements, and replace the contents with the lists above so they match exactly.

Step 7 — Create the API signing key

OCI does not generate the API signing key automatically— OCI displays the generated private key only once, so you generate and download it yourself.

  1. In the Console, go to Identity & Security → Domains → Default domain → Users and open uniskai-service-user.

  2. In the left panel under Resources, click API keys (may appear under Tokens and keys).

  3. Click Add API key.

  4. Choose Generate API key pair.

  5. Click Download private key and save the .pem somewhere safe — this is the only time OCI shows it. (You may download the public key too; it is optional.)

  6. Click Add.

  7. A Configuration file preview dialog appears. It contains the user OCID, fingerprint, tenancy OCID, and region. Click Copy to copy the whole configuration file — you will provide it to Uniskai in Step 8.

Step 8 — Hand these to Uniskai

Go back to the Uniskai Oracle connection screen you opened in Step 1. Then introduce the list:

Provide the following to Uniskai:
You don't need to collect each value separately — the configuration file you copied in Step 7 already contains them. Provide to Uniskai:

  • The configuration file copied in Step 7 (it includes the user OCID, fingerprint, tenancy OCID, and region).

  • The private key (.pem) downloaded in Step 7.

Uniskai reads the values from the configuration file and runs the credentials check.

Results

After completing the steps:

  • uniskai-group, uniskai-service-user, the group membership, and the two policies (uniskai-cur-policy, uniskai-policy) exist in your tenancy.

  • Uniskai authenticates as the service user and has read-write access — read across the managed resource families, use access on the resource types it operates on, and read access to the cost and usage reports.

  • Once you hand over the values from Step 8, Uniskai runs a credentials check during onboarding to confirm the grant.

Key notes / limitations

  • Both policies must live in the root compartment (the tenancy). Creating them in a sub-compartment will fail the check.

  • Grant families for read access, not individual resource types. Uniskai's verifier only credits family-level grants for read (e.g. instance-family, not instances). The use instances and use db-nodes grants intentionally target individual resource types — keep those exactly as written too.

  • The Oracle reporting-tenancy OCID is fixed. In Step 5, do not replace it with your own tenancy OCID.

  • The private key is shown only once. Download and store it securely in Step 7.

  • Consider rewording, since this is a manual setup guide. The emphasis should be on updating/editing the existing policies rather than re-running.

Verifying it worked

Uniskai's credentials check, run during onboarding, confirms that uniskai-group grants at least read on all managed resource families and that the IAM inspect statements allow it to read your policies. If the check reports missing permissions, re-confirm that the Step 6 statements match the list above verbatim (read families plus the two use statements) and that both policies live in the root compartment.

Did this answer your question?