Skip to main content

Connecting an Oracle (OCI) Account — Manual Setup (Read-Only)

Overview

This guide explains how to connect your Oracle Cloud Infrastructure (OCI) account to Uniskai manually, through the OCI Console, granting read-only access. You create an IAM group, an API-only service user, group membership, and two policies that Uniskai reads. With read-only access, Uniskai observes your cost and inventory but does not take any actions on your resources.

Use the manual setup if you cannot use the automatic setup script (for example, you have no Cloud Shell / CLI access) or your organization requires changes to go through the Console.

How it works

Uniskai connects to your tenancy as a dedicated service user that belongs to a group. All permissions are granted to the group, and two policies define what that group can do:

  • CUR policy — cross-tenancy read access to Oracle's Cost & Usage Reports.

  • Platform policy — in-tenancy read access to the managed resource families, plus IAM inspect grants that let Uniskai verify the permissions were applied.

The objects created during this setup:

Resource

Name

Purpose

Group

uniskai-group

Holds the service user; all permissions are granted to this group.

User

uniskai-service-user

API-only service identity Uniskai authenticates as.

Membership

user → group

Makes the user inherit the group's grants.

Policy

uniskai-cur-policy

Cross-tenancy read access to Oracle's Cost & Usage Reports.

Policy

uniskai-policy

In-tenancy read access + IAM inspect for verification.

Prerequisites

Before you start:

  • You sign in as a tenancy administrator (member of Administrators), or have equivalent rights to manage groups, users, and root-compartment policies.

  • All steps are performed in the Default identity domain (Console → Identity & Security → Domains → Default domain). If your tenancy uses multiple domains, use the one you intend to onboard.

Setup steps

Step 1 — Create the group uniskai-group

  1. Go to Identity & Security → Domains → Default domain → User management.

  2. Scroll to the Groups section and click Create group.

  3. Name: uniskai-group

  4. Description: Uniskai FinOps platform service group — read-only access to cost reports and managed resource families

  5. Leave members empty for now and click Create.

Step 2 — Create the service user uniskai-service-user

  1. On the same User management tab, in the Users section, click Create user.

  2. Uncheck "Use the email address as the username" (this is a service identity, not a person).

  3. Username: uniskai-service-user

  4. First name / Last name: e.g. Uniskai / Service (any value; the form requires it).

  5. Do not assign the user to any group on this screen — click Create.

Step 3 — Restrict the user to API keys only

A service identity should not be able to sign in to the Console or use any credential type other than API signing keys.

  1. Open the new user's detail page and click Edit user capabilities (or open the User capabilities panel).

  2. Enable only: API keys.

  3. Disable everything else.

  4. Click Save changes.

Step 4 — Add the user to the group

  1. On the user's page, go to Groups → Add user to group (or open Groups → uniskai-group → Assigned users → Assign users to group).

  2. Select "uniskai-service" (user name) and click Add.

Step 5 — Create the CUR policy uniskai-cur-policy

This is a cross-tenancy policy that lets uniskai-group read Oracle's Cost & Usage Reports bucket. It must be created in the root compartment (the tenancy). Billing data is read-only regardless of access level, so this policy is identical to the read-only setup.

  1. Go to Identity&Security→Domains→ Policies.

  2. In the Compartment picker (left), select the root compartment (your tenancy name, at the top of the list).

  3. Click Create policy.

  4. Name: uniskai-cur-policy

  5. Description: Grants uniskai-group cross-tenancy read access to Oracle-owned Cost & Usage Reports bucket

  6. Toggle Show manual editor and paste these two statements exactly:

    define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq 
    endorse group uniskai-group to read objects in tenancy usage-report
  7. Click Create.

Note: The define line names Oracle's reporting tenancy. The OCID shown is the fixed Oracle-owned value — do not replace it with your own tenancy OCID.

Step 6 — Create the platform policy uniskai-policy

Also created in the root compartment (the tenancy). It contains two kinds of statements:

  • Verificationinspect-only grants that let Uniskai read your IAM back and confirm the permissions were applied. These access no resources or data.

  • Access — the actual read-only permissions Uniskai uses: read the Cost & Usage Reports in your tenancy and read each managed resource family.

  1. Go to Identity & Security → Policies, with the root compartment selected (as in Step 5).

  2. Click Create policy.

  3. Name: uniskai-policy

  4. Description: Grants uniskai-group read-only access to usage reports and the managed OCI resource families, plus IAM inspect for permission verification

  5. Toggle Show manual editor and paste all of the following statements:

    Allow group uniskai-group to inspect policies in tenancy
    Allow group uniskai-group to inspect users in tenancy
    Allow group uniskai-group to inspect groups in tenancy
    Allow group uniskai-group to read usage-report in tenancy
    Allow group uniskai-group to read instance-family in tenancy
    Allow group uniskai-group to read database-family in tenancy
    Allow group uniskai-group to read autonomous-database-family in tenancy Allow group uniskai-group to read virtual-network-family in tenancy
    Allow group uniskai-group to read volume-family in tenancy
    Allow group uniskai-group to read object-family in tenancy
    Allow group uniskai-group to read file-family in tenancy
    Allow group uniskai-group to read cluster-family in tenancy
    Allow group uniskai-group to read functions-family in tenancy
    Allow group uniskai-group to read load-balancers in tenancy
    Allow group uniskai-group to read network-load-balancers in tenancy
    Allow group uniskai-group to read nosql-family in tenancy
    Allow group uniskai-group to read redis-family in tenancy
  6. Click Create.

  • Note: Grant the resource families exactly as written (e.g. instance-family), not individual resource types such as instances. Uniskai's verifier only credits family-level grants, so individual types would fail the check.

  • Note: Already onboarded with an older policy? Open the existing uniskai-policy (or uniskai-cur-policy), choose Edit policy statements, and replace the contents with the lists above so they match exactly.

Step 7 — Create the API signing key

OCI does not generate the API signing key automatically — OCI displays the generated private key only once, so you generate and download it yourself.

  1. In the Console, go to Identity & Security → Domains → Default domain → Users and open uniskai-service-user.

  2. In the left panel under Resources, click API keys (may appear under Tokens and keys).

  3. Click Add API key.

  4. Choose Generate API key pair.

  5. Click Download private key and save the .pem somewhere safe — this is the only time OCI shows it. (You may download the public key too; it is optional.)

  6. Click Add.

  7. A Configuration file preview dialog appears. It contains the user OCID, fingerprint, tenancy OCID, and region. Click Copy to copy the whole configuration file — you will provide it to Uniskai in Step 8.

Step 8 — Hand these to Uniskai

Go back to the Uniskai Oracle connection screen you opened in Step 1.
Provide the following to Uniskai:
You don't need to collect each value separately — the configuration file you copied in Step 7 already contains them. Provide to Uniskai:

  • The configuration file copied in Step 7 (it includes the user OCID, fingerprint, tenancy OCID, and region).

  • The private key (.pem) downloaded in Step 7.

Uniskai reads the values from the configuration file and runs the credentials check.

Results

After completing the steps:

  • uniskai-group, uniskai-service-user, the group membership, and the two policies (uniskai-cur-policy, uniskai-policy) exist in your tenancy.

  • Uniskai authenticates as the service user and has read-only access to the managed resource families and the cost and usage reports — it observes, but does not change, your resources.

  • Once you submit the configuration file and private key, Uniskai runs a credentials check during onboarding to confirm the grant.

Key notes / limitations

  • Both policies must live in the root compartment (the tenancy). Creating them in a sub-compartment will fail the check.

  • Grant families, not individual resource types. Uniskai's verifier only credits family-level grants (e.g. instance-family, not instances).

  • The Oracle reporting-tenancy OCID is fixed. In Step 5, do not replace it with your own tenancy OCID.

  • The private key is shown only once. Download and store it securely in Step 7.

  • Consider rewording, since this is a manual setup guide. There is no script to re-run; the recovery action is editing/updating the existing policies..

  • Read-only takes no actions. Uniskai can observe cost and inventory but cannot stop, resize, or otherwise change your resources.

Verifying it worked

Uniskai's credentials check, run during onboarding, confirms that uniskai-group grants at least read on all seven resource families and that the IAM inspect statements allow it to read your policies. If the check reports missing permissions, re-confirm that the Step 6 statements match the list above verbatim (families, not individual resource types) and that both policies live in the root compartment.

Did this answer your question?