Oracle Cloud Infrastructure Documentation

Verifying Resource Principal Access to Encryption Keys

If a file system is encrypted with your own key, IAM policies are required for the file system to read the keys stored in Vault. We recommend using the resource principal in these policies.

You can use the CLI or API to verify whether a file system is using the resource principal. If the file system uses the service principal, update the IAM policies so that the resource principal has access.

  • You can't use the Console to verify which principal the file system uses to read the encryption keys stored in Vault.

  • Use the fs file-system get command and required parameters to get details about a file system:

    oci fs file-system get --file-system-id <file_system_OCID>

    The lifecycle-details attribute includes details about the principal used by the file system to access the key stored in Vault.

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the GetFileSystem operation to get details about a file system.

    The lifecycleDetails attribute includes details about the principal used by the file system to access the key stored in Vault.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.