Thursday, September 28, 2023

Back to the basics: How to find users who didn't activate MFA on OCI

Today this came up, I needed to find all the users in a certain Group in my identity domain. Of course console provides this information, if I look at details of all users one by one! But I don't want to do this, it is time consuming, error prone and doesn't scale. Imagine having hundred users!

1 OCI CLI should also provide this information. But not probably with one API call, so let's look at the following script:

First I am trying to queryonly the OCID of the Group with name"Administrators"

oci iam group list --compartment-id $TENANCY_OCID --name Administrators \
 --query 'data[*]."id"' --raw-output

Then after couple of string operations to eliminate paranthesis and double quotes. I am passing the output of the first command which is the OCID of Administrators Group to a second command. This time to find the users with a specific group assignment, and only interested in id and name columns. And a table like output would be better compared to default JSON.

oci iam group list-users --compartment-id $TENANCY_OCID --group-id $GROUP_OCID \
 --query 'data[*].{OCID:id,Name:name}' --output table

As you can see, it is quite handy and reliable. You can check Christian Gohmann's post for neat and tidy samples, link in the references.

2 CLI is good yet not the easiest way though. Especially when combining multiple commands, it requires a certain level of expertise on scripting. So is there an easier solution? Sure there is: Steampipe Since my colleague Jean-Pierre showed this, I am loving it. It has an OCI Plugin , and here is the GitHub Page of the plugin code. Once you install and run it, you will see it makes your day easy as joining couple of tables with an SQL is.

It supports PostgreSQL syntax, and using plugins you can use it for AWS, Azure or OCI. Or you can write your own. Here is another query that I needed. List of users who didn't activated MFA with last login time:

Steampipe Plugin documentation has hundreds of queries provided for different use cases.

Note: From this point on I am sharing my notes on how to do things

Install OCI CLI: On my WSL2 Ubuntu system, I needed to re-install cli. Quickstart is quite handy, script is doing everything for you. Once you install it, you need to configure it by following the prompts:

oci setup config

Extending Steampipe OCI Plugin: I realized the Last Login Date data was not available on plugin table but available on oci cli. So I decided to extend the plugin code. For this purpose:

1.I cloned the git repository as described in GitHub Page .

git clone
cd steampipe-plugin-oci
2. I added last_successful_login_time into table definition file table_oci_identity_user.go
3. Installed Go on my Ubuntu host, and added to my path
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.21.1.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
4. Then build the plugin from source and configure it as described on plugin GitHub page
cp config/* ~/.steampipe/config
vi ~/.steampipe/config/oci.spc

1. OCI CLI Search and Filtering:
2. Steampipe:
3. Steampipe OCI Plugin:
4. OCI CLI Installation:
5. Install Go:
6. Steampipe OCI Plugin Sample Queries:

Friday, September 22, 2023

Run Autonomous Database, ORDS and APEX on your laptop with single command!

Last week was full of excitement, you know it is that time of the year: Cloud World You can watch the recaps! Lots of announcements, new partnerships, product launches, demos, tons of interesting sessions and chance to connect with gurus, product managers and community! I didn't have the chance to be there yet, maybe next year...

One of the announcements was a container image for Autonomous database made available! It has built-in tools like Database Actions (SQL Developer Web, Performance Hub, etc.), ORDS and APEX, and Mongo API is enabled. Just the right things for developing locally without loosing anytime. Here is the offical documentation and the GitHub Page where you can find all the details.

So here is what I did to have my container running on my Windows laptop within WSL2 Ubuntu.

1We start with podman installation (you can also use docker)

2When the container runs the following ports will be exposed:

Port Description
1521 TLS
1522 mTLS
8443 HTTPS port for ORDS / APEX and Database Actions
27017 Mongo API ( MY_ATP )
I recommend pulling the image first. Size is around 10GB and it can take a while. You can run the container with the following command.

3 Now we need to change ADMIN user password. There is a script provided for this purpose and we need to execute it by connecting to container.

4 We are ready to explore the tools already provided. Point your browser to https://localhost:8443/ords/my_atp/ and a landing page will welcome us.

5 APEX and Database Actions are also made available, no installation, no configuration, start building immediately.

6 How about connecting to database? Easy, for mTLS it requires a wallet. You can copy the wallet to any location on your local filesystem, export TNS_ADMIN then connect.

Note: You can safely skip this first part, unless you want to update your WSL2 Ubuntu. I was using a manual built experimental kernel because of a really weird debugging requirement I had in the past and I didn't need it anymore. So I needed to replace it but never had the chance or motivation, but this time it was inevitable. So writing this section as a reference for my future self.

1. ADB Free GitHub Page:
2. Podman Documentation:
3. Instal Docker on WSL2:
4. Autostart Docker Daemon:
5. Upgrade Ubuntu:
6. Reboot Ubuntu:

Tuesday, September 5, 2023

How to discover tenancy details and self OCID with Autonomous database

Know thyself inscribed on Temple of Apollo, it is the door to true wisdom. While scripting or coding for automating a process, I often need the database to be self aware and discover information like tenancy, OCID and region etc. So here is how you can obtain details on Autonomous database

cloud_identity column contains a json formatted text containing OCIDs for tenancy, autonomous database, compartment etc. And if you are scripting/coding you will need to extract those json attributes, you can use JSON_TABLE function. This will give you nice and clean values that you can directly use.


Putting it altogether: How to deploy scalable and secure APEX on OCI

Oracle APEX is very popular, and it is one of the most common usecases that I see with my customers. Oracle Architecture Center offers a re...