DEV Community: Bonthu Durga Prasad

OCI CLI Configuration and Advanced Usage: Automating Tenancy Insights from Command Line

Bonthu Durga Prasad — Fri, 03 Apr 2026 10:04:54 +0000

Introduction

In cloud environments, automation and scripting are essential for efficient resource management. While the OCI Console provides a graphical interface, the OCI CLI enables engineers to interact with resources programmatically.

This guide demonstrates how to configure OCI CLI and extract tenancy-level data using real commands

Why OCI CLI

✔ Automation (scripts, pipelines)
✔ Bulk operations
✔ Faster troubleshooting
✔ Integration with DevOps workflows

Architecture

Local Machine
│
▼
OCI CLI
│
▼
API Request (Signed with Key)
│
▼
OCI Services (IAM, Compute, etc.)

Step 1: Install OCI CLI

bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"

oci --version

Step 2: Generate API Keys

-> Create a directory .oci

mkidr .oci

-> Create a configuration file for the oci cli

mkdir config

-> Add the config details like below

[DEFAULT]
user=ocid1.user.oc1..aaaaaaaapjmafzjfgvdf7rohfvuwlwj6otxwxfqtazd6vvcwe24pfailx4cq
fingerprint=5e:b0:45:e2:07:3f:b8:fa:51:25:ee:4b:7b:d5:d6:e9
tenancy=ocid1.tenancy.oc1..aaaaaaaaf2yv5cljkqlepfllkxolhgvmq5tq7vgfu6tns3ajhnuqn4eikmja
region=ap-mumbai-1
key_file= # TODO

-> Create one file and add your private key details and change the permissions to read and write only.

chmod 600 ~/.oci/oci_api_key.pem

-> Now check with below command for the configuration setup

oci os ns get

Validate Configuration

oci iam region list

oci iam compartment list --compartment-id

You will get the list of compartments over the entire tenancy level

Get Instances

oci compute instance list --compartment-id

Real Use Case

oci iam user list --compartment-id \
--query "data[].{Name:name,ID:id}" --output table

You will get the user details in a table format

Best Practices

✔ Secure private keys

✔ Use profiles

✔ Avoid hardcoding OCIDs

✔ Use scripts for automation

✔ Rotate keys regularly

Conclusion

OCI CLI enables engineers to automate cloud operations and retrieve critical data efficiently. By combining CLI commands with scripting, organizations can improve operational efficiency and reduce manual effort.

OCI Bastion Service: Complete End-to-End Guide for Secure Access to Private Instances

Bonthu Durga Prasad — Fri, 27 Mar 2026 08:50:05 +0000

Introduction

Accessing private compute instances securely is a common challenge in cloud environments. Exposing SSH ports publicly increases the attack surface and violates security best practices.

In Oracle Cloud Infrastructure, Bastion Service provides a secure way to connect to private instances without assigning public IP addresses.

This guide provides a complete end-to-end implementation of OCI Bastion Service.

Architecture Overview

Your Laptop
│
▼
OCI Bastion Service
│
▼
Private Subnet
│
▼
Compute Instance (No Public IP)

Prerequisites

OCI account
VCN with:
- Public subnet
- Private subnet
Compute instance in private subnet
SSH key pair

Step 1: Create VCN (Quick Setup)

Go to Networking → VCN
Create VCN with:
CIDR: 10.0.0.0/16
Public subnet : 10.0.64.0/24
Private subnet : 10.0.128.0/17

Step 2: Create Private Compute Instance

Go to Compute → Instances
Launch instance
Instance_Name : Demo_Bastion_service
Private subnet
No public IP

You can get an instance with private IP

Step 3: Create Bastion

Navigate → Identity & Security → Bastion
Click Create Bastion

Configuration

Name: my-bastion
VCN: Demo_VCN
Subnet: public subnet
CIDR: 0.0.0.0/0 (for testing)

Step 4: Create Bastion Session

Click Bastion → Create Session

Select:
Session type: SSH_Port_Forwarding
Target instance: your private instance
Upload public key

Step 5: Connect to Instance

OCI gives command like: Copy the SSH command

ssh -i -N -L :10.0.171.0:22 -p 22 ocid1.bastionsession.oc1.ap-mumbai-1.amaaaaaa7gqo7aaalvsyyzpplvcrg5ixiyevbeuwfl2xycuchc3j5k6ughga@host.bastion.ap-mumbai-1.oci.oraclecloud.com

Change the permission of the .pem file in your computer location specific user who want to access.

-> Go to the file properties and go to the security and change the permissions over there.

Add your file location over there and local port change it to 22.

FYR

ssh -i C:\Test.key -N -L 22:10.0.171.0:22 -p 22 ocid1.bastionsession.oc1.ap-mumbai-1.amaaaaaa7gqo7aaalvsyyzpplvcrg5ixiyevbeuwfl2xycuchc3j5k6ughga@host.bastion.ap-mumbai-1.oci.oraclecloud.com

Tunneling will be established between your computer and the private server.

Open putty Go to auth and Go for tunneling and add the details as below.

-> Now the tunneling will be created between your system and the private server.

-> You can able to connect the private server without public IP with the bastion service.

Verify Connection

-> You can verify the connection by using below command.

whoami
hostname -i

Security Best Practices

Do NOT allow 0.0.0.0/0 in production
Use restricted CIDR
Use short session duration
Use IAM policies

Conclusion

OCI Bastion Service enables secure and controlled access to private instances without exposing them to the internet. By using Bastion, organizations can implement a secure access architecture aligned with best practices.

Infrastructure as Code in OCI using Resource Manager (Terraform)

Bonthu Durga Prasad — Mon, 23 Mar 2026 09:23:46 +0000

Introduction

Infrastructure management in cloud environments has evolved significantly with the adoption of automation and DevOps practices. Manual provisioning is error-prone and difficult to scale.

In Oracle Cloud Infrastructure, Infrastructure as Code (IaC) is implemented using OCI Resource Manager, a managed Terraform-based service that enables automated, consistent, and repeatable deployments.

This article provides a deep dive into OCI Resource Manager, including architecture, execution flow, state management, drift detection, hands-on examples, and real-world DevOps practices.

What is Infrastructure as Code (IaC)

Infrastructure as Code (IaC) is the practice of defining and managing infrastructure using code.

Benefits

Automation
Consistency
Version control
Faster deployments

What is OCI Resource Manager

OCI Resource Manager is a managed service that uses Terraform to provision and manage cloud resources.

Key Features

Managed Terraform execution
No need for local setup
Secure state management
Easy rollback and updates

Architecture Overview

Developer
│
▼
Terraform Code (HCL)
│
▼
OCI Resource Manager
│
▼
OCI APIs
│
▼
Cloud Resources (VCN, Compute, Storage)

How Resource Manager Executes Terraform

Execution Flow

User submits job
│
▼
Configuration validated
│
▼
Terraform plan generated
│
▼
Terraform apply executed
│
▼
State file updated

Explanation

OCI Resource Manager internally performs Terraform operations such as plan and apply. It manages execution lifecycle and state securely without requiring local tools.

Key Components

Stack

A stack is a collection of Terraform configurations.

Job

Jobs execute operations such as:

Plan
Apply
Destroy

State

Tracks current infrastructure and dependencies.

Hands-on Example

Step 1: Terraform Configuration

resource "oci_core_vcn" "my_vcn" {
cidr_block = "10.0.0.0/16"
display_name = "my-vcn"
}

Step 2: Create Stack

Go to Resource Manager

Upload configuration
Create stack

Step 3: Run Apply Job

Click Apply
OCI provisions resources

CLI Commands

oci resource-manager stack list
oci resource-manager job list
oci resource-manager job get --job-id

Authentication and IAM Integration

OCI Resource Manager integrates with IAM for secure access.

Authentication is handled using IAM policies and instance principals.

ex : Allow group DevOps to manage all-resources in compartment Dev

Terraform State Management

Terraform state is automatically managed by OCI Resource Manager.

State includes:

Resource mappings
Infrastructure state
Dependency tracking

Why important:

Ensures Terraform knows existing resources and prevents duplication.

Drift Detection

Drift occurs when infrastructure is modified outside Terraform.

Ex : Manual change → Drift detected → Terraform shows mismatch

Resource Manager detects drift by comparing:

Current infrastructure
Stored state

Plan vs Apply

Plan → Shows changes

Apply → Executes changes

Example :

Plan: Create VCN
Apply: Resource created

Best Practices

Use version control (Git)
Separate dev and prod environments
Use variables instead of hardcoding
Always review Terraform plan
Store sensitive data securely

Conclusion

OCI Resource Manager simplifies infrastructure provisioning by enabling Infrastructure as Code using Terraform. It ensures consistency, scalability, and automation in cloud deployments.

Understanding execution flow, state management, and drift detection is essential for building reliable and production-ready cloud environments.

OCI Block Volume Deep Dive

Bonthu Durga Prasad — Thu, 19 Mar 2026 11:09:38 +0000

In modern cloud environments, storage plays a critical role in application performance and reliability. In Oracle Cloud Infrastructure (OCI), Block Volume provides scalable, high-performance storage that can be attached to compute instances.

This article provides a deep dive into OCI Block Volume, covering architecture, performance concepts such as VPUs and autotuning, attachment methods including iSCSI and paravirtualized, hands-on commands, monitoring, and real-world troubleshooting scenarios.

What is OCI Block Volume

OCI Block Volume is a network-based storage service that provides persistent storage for compute instances.

It is commonly used for:

Databases
Application storage
Boot volumes
High-performance workloads

Architecture Overview

Architecture Diagram

Compute Instance
│
▼
Attachment Layer (iSCSI / Paravirtualized)
│
▼
OCI Block Volume Service
│
▼
Distributed Storage Backend

OCI Block Volume is decoupled from compute, meaning storage persists even if the instance is terminated. Data is replicated across multiple storage servers to ensure high availability and durability.

Types of Volumes

OCI provides different types of volumes:

Boot Volume → Used for operating system
Block Volume → Used for application data
Volume Backups → Used for snapshots and recovery

Performance

Performance in OCI Block Volume is defined using VPUs (Volume Performance Units per GB).

Higher VPUs provide higher IOPS and throughput.

10 VPUs → Low cost workloads

20 VPUs → Balanced workloads

30+ VPUs → High-performance workloads

Autotuning (Dynamic Scaling)

Autotuning allows OCI to automatically adjust volume performance based on workload demand.

Workload increase → Performance increases

Workload decrease → Cost optimized

Attachment Types

iSCSI Attachment
Uses TCP/IP-based storage communication and requires manual setup.
Paravirtualized Attachment

Uses OCI optimized drivers and provides better performance with simpler setup.

When to Use What

Use Paravirtualized when:

Simplicity is required
Standard workloads

Use iSCSI when:

Maximum performance is required
Fine-grained control is needed

Best Practices

Use paravirtualized attachments when possible
Enable autotuning
Separate volumes for OS, logs, and database
Monitor performance regularly
Choose correct VPU levels

Conclusion

OCI Block Volume provides flexible and scalable storage for cloud workloads. By understanding architecture, performance tuning, and attachment methods, engineers can design efficient and reliable storage systems in OCI.

Proper monitoring and tuning help avoid performance bottlenecks and ensure optimal system behavior.

High Performance Computing Storage in OCI using Lustre File System

Bonthu Durga Prasad — Wed, 18 Mar 2026 10:22:34 +0000

High Performance Computing Storage in OCI using Lustre File System

As cloud workloads evolve, especially in areas like high-performance computing (HPC), machine learning, and big data analytics, traditional storage systems often become a bottleneck. These workloads require high throughput, low latency, and parallel file access.

In Oracle Cloud Infrastructure, high-performance storage requirements can be addressed using the Lustre File System, a distributed file system designed for large-scale workloads.

This article explores how Lustre works and how it can be used in OCI environments.

What is Lustre File System?

Lustre is a parallel distributed file system designed for environments that require high-speed access to large datasets.

It is commonly used in:

High Performance Computing (HPC)
Artificial Intelligence and Machine Learning
Scientific simulations
Big data processing

Unlike traditional file systems, Lustre distributes data across multiple storage nodes to achieve high performance.

Why Use Lustre in OCI?

Cloud-based HPC workloads demand:

High throughput
Scalable storage
Parallel access from multiple compute nodes

Lustre provides:

Parallel read/write operations
Horizontal scalability
High bandwidth performance

This makes it ideal for workloads where multiple compute instances process large datasets simultaneously.

Lustre Architecture Overview

Lustre is built using multiple components working together.

Key Components

Metadata Server (MDS) → Stores file metadata
Object Storage Servers (OSS) → Store actual data
Clients → Compute instances accessing the file system

Architecture Flow

Compute Nodes (Clients)
│
▼
Metadata Server (MDS)
│
▼
Object Storage Servers (OSS)
│
▼
Distributed Storage

In this architecture:

Clients request metadata from MDS
Data is read/written from OSS nodes
Operations happen in parallel for high performance

How Lustre Works

When a client accesses a file:

Metadata request is sent to MDS
MDS provides file location information
Client directly accesses data from OSS nodes
Data transfer happens in parallel

This parallel architecture significantly improves performance.

Real-World Use Cases

Lustre is widely used in scenarios such as:

Machine Learning Training

Training large models requires fast access to massive datasets.

2.Scientific Research

Simulations generate huge amounts of data that must be processed quickly.

3.Media Rendering

Video processing and rendering workflows benefit from high throughput.

Benefits of Lustre in OCI

High throughput storage
Scalable architecture
Parallel data access
Optimized for HPC workloads

Best Practices

When using Lustre in OCI:

Use multiple compute nodes for parallel processing
Design workloads for distributed execution
Monitor performance and I/O usage
Use high-performance networking for better throughput

Lustre File System Limits

Lustre limits are per availability domain:
Resource Limit
Max file systems 8 per tenant per availability domain
Max capacity per FS 200 TB
Aggregate throughput 200 Gbps per tenancy per availability domain

The Lustre client is mandatory for any VM or compute instance that wants to access a Lustre file system.
Lustre client works only with Red Hat Compatible Kernel (RHCK) on Oracle Linu

Syncing Lustre with Object Storage

OCI Lustre can sync data with Object Storage for cost-effective long-term storage:

Import
• Pull objects from Object Storage → Lustre
• Use case: AI training, data processing
- Export • Push files from Lustre → Object Storage Use case: Save processed results

OCI Lustre file systems require a Lustre client kernel module.
However:

Oracle Linux normally uses UEK kernel, not compatible with Lustre
So you must switch to RHCK kernel (Red Hat Compatible Kernel)
Then you must build the Lustre client from source code unless a prebuilt package exists

Understanding Identity and Access Management (IAM) Architecture in Oracle Cloud Infrastructure

Bonthu Durga Prasad — Sat, 14 Mar 2026 12:17:12 +0000

Understanding Identity and Access Management (IAM) Architecture in Oracle Cloud Infrastructure

Security is one of the most critical aspects when designing cloud infrastructure. In Oracle Cloud Infrastructure, Identity and Access Management (IAM) provides a centralized framework to control access to resources and services.

IAM allows administrators to define who can access cloud resources and what actions they are allowed to perform, ensuring a secure and well-managed cloud environment.

In this article, we will explore the core IAM architecture and understand how its components work together.

Why IAM is Important

In a cloud environment, multiple users, applications, and services interact with infrastructure resources. Without proper access control, organizations risk exposing sensitive data or critical infrastructure.

OCI IAM helps organizations:

Implement secure access control
Enforce the principle of least privilege
Organize resources effectively
Manage identities and permissions centrally

Core Components of OCI IAM

OCI IAM is built using several key components.

Compartments

Compartments are logical containers used to organize and isolate OCI resources.

They allow administrators to structure cloud environments and apply access control boundaries.

Example compartment hierarchy:

Root Tenancy
│
├── Development
│ ├── Compute
│ └── Storage
│
└── Production
├── Application Servers
└── Databases

This structure helps maintain clear separation between environments.

Users and Groups

Users represent identities that can access the OCI Console or APIs.

Groups are collections of users with similar responsibilities.

Instead of assigning permissions to individual users, administrators assign policies to groups.

Example:
Group: DevOps
Users:

Alice
Bob

This simplifies permission management across teams.

IAM Policies

Policies define what actions users or groups are allowed to perform on OCI resources.

Example policy:

Allow group DevOps to manage instance-family in compartment Production

Policies usually define:

Subject (group or dynamic group)
Action (inspect, read, use, manage)
Resource type
Compartment scope

Policies form the core of OCI authorization.

Dynamic Groups and Instance Principals

Modern cloud applications often run on compute instances and need access to OCI services.

Instead of storing API credentials on servers, OCI provides Instance Principals.

Instance principals allow compute instances to authenticate with OCI services using instance identity.

Example access flow:

Compute Instance
│
▼
Instance Principal
│
▼
Dynamic Group
│
▼
IAM Policy
│
▼
OCI Service Access

Dynamic groups automatically include instances based on matching rules.

Example dynamic group rule:

ALL {instance.compartment.id = ''}

Example policy:

Allow dynamic-group app-instances to read buckets in compartment Storage

This architecture eliminates the need to store credentials on servers.

*Real-World Example
*
Imagine an application running on an OCI compute instance that needs to upload files to Object Storage.

Instead of storing API keys on the instance:
The instance is added to a dynamic group
A policy grants access to Object Storage
The application authenticates using instance principals

This enables secure and automated access to OCI services.

Best Practices for OCI IAM

When designing IAM architecture in OCI, follow these best practices:

Use groups for permission management
Follow the principle of least privilege
Organize resources using compartments
Avoid storing API keys on compute instances
Use instance principals whenever possible

*Conclusion
*
Identity and Access Management is a foundational security service in Oracle Cloud Infrastructure. By combining compartments, users, groups, policies, and dynamic groups, organizations can build a secure access control framework for their cloud environments.

Understanding IAM architecture is essential for designing secure and scalable OCI workloads.

GitHub Repository

You can explore the complete IAM implementation and architecture documentation here:

Durgaprasad9346 / oci-iam-access-control-guide

OCI IAM deep dive covering users, groups, policies, dynamic groups, instance principals and advanced access patterns in Oracle Cloud Infrastructure.

oci-iam-access-control-guide

OCI IAM deep dive covering users, groups, policies, dynamic groups, instance principals and advanced access patterns in Oracle Cloud Infrastructure.

Overview

Identity and Access Management (IAM) is the security foundation of Oracle Cloud Infrastructure (OCI). It controls authentication and authorization for users, services, and applications interacting with cloud resources.

OCI IAM allows administrators to define who can access resources and what actions they can perform through policies, groups, and dynamic access mechanisms.

This repository provides an in-depth explanation of OCI IAM components and advanced access patterns used in enterprise cloud environments.

Core IAM Components

OCI IAM consists of several key components:

Compartments
Users
Groups
Policies
Dynamic Groups
Instance Principals
Resource Principals

These components work together to implement secure access control across OCI services.

IAM Access Flow

Typical access flow:

User │ ▼ OCI IAM │ ▼ Group Membership │ ▼ Policy Evaluation │ ▼ Access to OCI Resource

Repository

…

View on GitHub