
OCI-Tenant admin locked, how to reset your own password
There are some of those days that you rely too heavily on password tools. Yes, you always should use different passwords and strong ones. But I won’t preach to you, but due to this, I locked myself out of my tenant admin user in the Oracle Cloud Infrastructure (OCI).
For those who have seen my OCI – talk already, you know I’m a big fan of the OCI – utility. Also a comprehensive list of things you can do with it, can be found in the Oracle documentation.
One thing you really should remember, your root compartment is a compartment just like any other. Except, this tenant admin controls your environment. So when you’re a bit confused this can happen:
When you can still reach your oci cli, then no harm is done. When you don’t have that one setup, or can’t reach it, you’re screwed and you’ll need to open an SR to ask to reset the password. This isn’t true for normal users, but this shows how to recover your gui-access to your tenant admin.
So… I am locked, how to get access again? To do so, go to the host you’re using to cli into your environment.
The oci cli has a subroutine iam, which is used for identity and access management. So this is what we’re going to use. Oci is very descriptive:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
mbp-vanpupi:~ pieter$ oci iam user Usage: oci iam user [OPTIONS] COMMAND [ARGS]... An individual employee or system that needs to manage or use your company's Oracle Cloud Infrastructure resources. Users might need to launch instances, manage remote disks, work with your cloud network, etc. Users have one or more IAM Service credentials ([ApiKey], [UIPassword], and [SwiftPassword]). For more information, see [User Credentials]). End users of your application are not typically IAM Service users. For conceptual information about users and other IAM Service components, see [Overview of the IAM Service]. These users are created directly within the Oracle Cloud Infrastructure system, via the IAM service. They are different from *federated users*, who authenticate themselves to the Oracle Cloud Infrastructure Console via an identity provider. For more information, see [Identity Providers and Federation]. To use any of the API operations, you must be authorized in an IAM policy. If you're not authorized, talk to an administrator. If you're an administrator who needs to write policies to give users access, see [Getting Started with Policies]. Options: -?, -h, --help Show this message and exit. Commands: api-key A PEM-format RSA credential for securing... create Creates a new user in your tenancy. delete Deletes the specified user. get Gets the specified user's information. list Lists the users in your tenancy. list-groups Lists the groups for which the specified user... swift-password Swift is the OpenStack object storage... ui-password A text password that enables a user to sign... update Updates the description of the specified... update-user-state Updates the state of the specified user. mbp-vanpupi:~ pieter$ |
You see what we’re up to.
As we are currently locked out and the account is blocked, we need to
- get the userid
- unblock the account
- reset the password
To get your user id you use oci user list command. To get this user list, you need to know the compartment-id. This is easily retrievable, but this goes out-of-scope of this blogpost. I usually store it temporarily in an environment variable:
1 2 |
mbp-vanpupi:~ pieter$ export TENANT=$(grep tenancy ${CONFIG}| cut -f2 -d'=') mbp-vanpupi:~ pieter$ |
I anonymised the output a bit here:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
mbp-vanpupi:~ pieter$ oci iam user list --compartment-id ${TENANT} { "data": [ { ... <<< snipped the users >>> ... }, { "compartment-id": "ocid1.tenancy.oc1..aaaaa*****************7a", "description": "PieterVanPuymbroeck", "id": "ocid1.user.oc1..aaaaa*****************q", "inactive-status": 4, "lifecycle-state": "INACTIVE", "name": "Pieter.VanPuymbroeck@exitas.be", "time-created": "2017-04-06T14:29:52.250000+00:00" } ], "opc-next-page": "AAAAAAAAAAJle*****************wd3NMRGc=" } mbp-vanpupi:~ pieter$ |
on line 12 we have the ID we’re looking for. Save that string in a wordpad, variable,… or whatever, but you need it in the next step.
Then unblock the user
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
mbp-vanpupi:~ pieter$ oci iam user update-user-state --user-id ocid1.user.oc1..aaaaa*****************q --blocked false { "data": { "compartment-id": "ocid1.tenancy.oc1..aaaaa*****************7a", "description": "PieterVanPuymbroeck", "id": "ocid1.user.oc1..aaaaa*****************q", "inactive-status": null, "lifecycle-state": "ACTIVE", "name": "Pieter.VanPuymbroeck@exitas.be", "time-created": "2017-04-06T14:29:52.250000+00:00" }, "etag": "926798*********************9f5" } mbp-vanpupi:~ pieter$ |
And finally reset the password. This will generate a one time only password, which will allow you to login and set your new password.
1 2 3 4 5 6 7 8 9 10 11 |
mbp-vanpupi:~ pieter$ oci iam user ui-password create-or-reset --user-id ocid1.user.oc1..aaaaa*****************q { "data": { "inactive-status": null, "lifecycle-state": "ACTIVE", "password": "g1.*********3G5", "time-created": "2018-09-20T23:11:37.294000+00:00", "user-id": "ocid1.user.oc1..aaaaa*****************q" } } mbp-vanpupi:~ pieter$ |
The cool thing about doing it this way, is that the temporary password is not e-mailed, but just returned to you in json format.
Browse back to the OCI- console and login using your username and this temporary password and you will be redirected to the page to change your password again:
After that it’s piece of cake. Just follow the password rules and you’re in:
As always, questions, remarks? find me on twitter @vanpupi