OCI Introduces Identity Support in Database Tools – Secure, Credential-Free Access to OCI Services

 

Oracle Cloud Infrastructure (OCI) has announced an important enhancement to its Database Tools service: Identity is now natively supported. This capability enables seamless, secure access to OCI resources directly from Oracle Database Cloud Services, using a resource principal rather than traditional user credentials.

This release significantly strengthens security, simplifies credential management, and streamlines operations for workloads that interact with OCI services such as Object Storage, APEX prebuilt functions, and more.

What’s New? – Identity in OCI Database Tools

With this new release, Database Tools can now create and manage an OCI Resource Principal identity at the database schema level. This allows applications running inside:

• Oracle Base Database Service

• Oracle Autonomous Database (ADB)

to access OCI services without storing or exposing passwords or keys.

Key Benefits

• No credential management – eliminates manual handling of usernames/passwords.

• Least privilege security – each schema can have its own OCI resource principal.

• Tighter IAM integration – policies and dynamic groups control resource access.

• Improved automation – secure scheduler jobs, PL/SQL packages, and APEX integrations.

Example Use Case

Rao wants to run a daily Oracle Scheduler job that reads files from Object Storage using DBMS_CLOUD.LIST_OBJECTS. To authenticate, she uses Database Tools Identity instead of manually managing cloud credentials.

This workflow eliminates sensitive credentials entirely and automates OCI authentication securely.

Workflow: How to Use Database Tools Identity

Below are the steps to configure and use this new capability.

Step 1: Create a Database Tools Connection Using Resource Principal

Create a connection in OCI Database Tools and set the Runtime Identity = Resource Principal.
This is mandatory for identity creation.

You can choose:

• Autonomous Database

• Oracle Base DB Service (Bare Metal, VM, Exadata)

• MySQL Database

• Exadata Cloud at Customer

Step 2: Validate the Connection

From the connection page, click Validate to ensure connectivity and configuration are correct.

Step 3: Create a Database Tools Identity

The identity creates a secure credential inside the target database.

You must provide:

• Identity Name

• Credential Key (becomes the credential name in the database)

• Compartment

The Database Tools service automatically creates the credential in the associated database schema.

Step 4: Validate the Identity

Identity validation checks:

• Network routes

• DBMS_CLOUD installation

• Wallet and certificates

• Credential correctness

This confirms that the DB can call OCI using the new identity.

Step 5: Create a Dynamic Group

Use a matching rule such as:

ALL {resource.type = 'databasetoolsidentity', 
     resource.compartment.id = '<compartment_ocid>'}

This tells OCI IAM to treat all identities in that compartment as a principal.

Step 6: Create IAM Policies

Grant the dynamic group the required access.

Example: Allow read access to Object Storage

allow dynamic-group my-dbtools-dg to read object-family in compartment hr

You may also define resource-level policies when needed.

Step 7: Refresh the Identity

After IAM policy changes, refresh the identity to apply updated permissions.
Identity refresh updates underlying credential metadata.

Sample PL/SQL Code

Once the identity is active and policies are in place, you can directly invoke OCI services:

SELECT *
FROM DBMS_CLOUD.LIST_OBJECTS('<CREDENTIAL_NAME>',
                             '<OBJECT_STORAGE_BUCKET_URL>');

The <CREDENTIAL_NAME> is the credential created during the identity setup.

Additional Notes for Oracle Base DB System Users

Before using Identity, ensure:

• DBMS_CLOUD package is installed

• Networking is configured for HTTPS access to OCI

• Certificates and wallet are installed

(Autonomous Database already includes these.)

Why This Release Matters

This enhancement marks a major step forward in enabling secure, automated, cloud-native integrations for Oracle databases. By leveraging resource principals, organizations can confidently integrate their database workloads with OCI services without worrying about password rotation, credential theft, or operational overhead.

OCI continues to strengthen its developer and database service ecosystem with features that simplify cloud interactions and enforce security best practices.