open-vault/website/content/api-docs/auth/oci.mdx

---
layout: api
page_title: OCI - Auth Methods - HTTP API
description: This is the API documentation for the Vault OCI auth method plugin.
---

# OCI Auth Method (API)

This is the API documentation for the Vault OCI auth method plugin. To
learn more about the usage and operation, see the
[Vault OCI auth method](/docs/auth/oci).

This documentation assumes the OCI method is mounted at the
`/auth/oci` path in Vault. Since it is possible to enable auth methods at
any location, please update your API calls accordingly.

## Configure Home Tenancy Method

Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.

| Method | Path               |
| :----- | :----------------- |
| `POST` | `/auth/oci/config` |

### Parameters

- `home_tenancy_id` `(string: <required>)` - The Tenancy OCID of your OCI account.

### Sample Payload

```json
{
  "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
}
```

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/config
```

## Read Config

Returns the previously configured config.

| Method | Path               |
| :----- | :----------------- |
| `GET`  | `/auth/oci/config` |

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/oci/config
```

### Sample Response

```json
{
  "data": {
    "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
  }
}
```

## Create Role

Create a Vault administrator role in the OCI Auth method.

| Method | Path                   |
| :----- | :--------------------- |
| `POST` | `/auth/oci/role/:name` |

### Parameters

- `name` `(string: <required>)` - Name of the role.
- `ocid_list` `(string: <required>)` - A comma separated list of Group or Dynamic Group OCIDs that can take this role.

@include 'tokenfields.mdx'

### Sample Payload

```json
{
  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
  "token_policies": ["dev", "prod"],
  "token_ttl": 1800
}
```

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole
```

## Read Role

Returns the previously registered role configuration.

| Method | Path                   |
| :----- | :--------------------- |
| `GET`  | `/auth/oci/role/:name` |

### Parameters

- `name` `(string: <required>)` - Name of the role.

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole
```

### Sample Response

```json
{
  "data": {
    "ocid_list": [
      "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq",
      "ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
    ],
    "token_ttl": 1800,
    "token_policies": ["dev", "prod"]
  }
}
```

## List Roles

Lists all the roles that are registered with the auth method.

| Method | Path                       |
| :----- | :------------------------- |
| `LIST` | `/auth/oci/role`           |
| `GET`  | `/auth/oci/role?list=true` |

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/auth/oci/role
```

### Sample Response

```json
{
  "data": {
    "keys": ["devrole", "prodrole"]
  }
}
```

## Delete Role

Deletes the previously registered role.

| Method   | Path                   |
| :------- | :--------------------- |
| `DELETE` | `/auth/oci/role/:role` |

### Parameters

- `role` `(string: <required>)` - Name of the role.

### Sample Request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole
```

## Login

Fetch a token. This endpoint takes signed request headers and
a role name for some entity. It verifies the signed request headers to authenticate that
entity and then authorizes the entity for the given role.

| Method | Path                    |
| :----- | :---------------------- |
| `POST` | `/auth/oci/login/:role` |

### Parameters

- `role` `(string: <required>)` - Name of the role against which the login is being attempted.
- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)

### Sample Payload

```json
{
  "request_headers": {
    "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
    "(request-target)": ["get /v1/auth/oci/login/devrole"],
    "host": ["127.0.0.1"],
    "content-type": ["application/json"],
    "authorization": [
      "Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""
    ]
  }
}
```

### Sample Request

```shell-session
$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/login/devrole
```

### Sample Response

```json
{
  "auth": {
    "token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
    "token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
    "token_policies": ["dev"],
    "token_duration": 1800
  }
}
```