How to Connect OCI Vision with a Read-Only IAM User
OCI Vision scans your Oracle Cloud estate to populate a live Oracle Cloud CMDB - compute, networking, IAM, storage, databases, cost data, and more. That work only requires read access to OCI APIs. You should never connect the tenancy administrator, a member of the Administrators group, or your personal console login. Those accounts can create, modify, and delete resources. Inventory tools do not need that power, and connecting an over-privileged identity creates unnecessary risk.
This guide walks through the recommended pattern: a dedicated IAM user with an API signing key, a read-only group policy, and a quick verification scan in OCI Vision. The same approach works for a single enterprise tenancy or an MSP managing dozens of customer profiles.
Never connect OCI Vision with the root compartment admin, the Administrators group, or any account that holds manage or use privileges. OCI Vision is built for inventory and reporting - admin credentials are unnecessary and unsafe.
Why a dedicated service user matters
Reusing an engineer's daily login, a shared break-glass admin account, or the tenancy owner blurs audit trails and expands blast radius if credentials leak. A dedicated service identity - for example oci-vision-readonly - exists only for scanning. One API signing key per tenancy profile, rotated on schedule, keeps human operator accounts separate from inventory access.
This aligns with cloud governance least-privilege practice and gives OCI compliance reviewers clear evidence that inventory collection uses inspect/read policies only, not administrator access.
Create the IAM group and read-only policy
In the OCI Console, open Identity & Security and create an IAM group. A clear name like oci-vision-readers makes intent obvious in policy reviews. Next, attach a policy at tenancy level (or compartment level if you scope access more tightly - covered below).
OCI Vision needs two verbs across resource types: inspect lists resources and metadata; read retrieves full configuration details. Do not grant manage, use, or wildcard admin statements. The baseline tenancy-wide policy looks like this:
Allow group oci-vision-readers to inspect all-resources in tenancy
Allow group oci-vision-readers to read all-resources in tenancyAttach the policy under Identity & Security → Policies at tenancy root unless you scope to a child compartment. Limit group membership to the service user only.
Provision a separate IAM user (e.g. oci-vision-readonly) used only for OCI Vision. Generate an API signing key for that user and store the credentials in your workspace. This user should have no manage, use, or admin privileges anywhere in the tenancy.
Create the IAM user and API signing key
Create a new IAM user - not an existing admin or operator account. Add the user to oci-vision-readers. Under the user's API Keys section, generate a new signing key. OCI downloads a private key PEM file and displays the fingerprint. Save both securely; you will paste them into OCI Vision. You also need the user OCID, tenancy OCID, and home region (for example uk-london-1 or eu-frankfurt-1).
Handle the private key like any secret during setup. OCI Vision encrypts credentials at rest in your organisation workspace. Use one API user per tenancy profile - MSPs should create a separate service user in each customer tenancy, not reuse admin keys across estates.
Compartment-scoped policies for MSPs
Tenancy-wide inspect/read policies are the simplest way to get a complete CMDB view - every compartment, every region. Some MSPs and security teams prefer tighter scope, especially when a customer tenancy contains unrelated workloads outside the managed estate.
Replace in tenancy with in compartment and name the target compartment explicitly. Repeat for each customer compartment if they are isolated:
Allow group oci-vision-readers to inspect all-resources in compartment CustomerA
Allow group oci-vision-readers to read all-resources in compartment CustomerAResources outside the named compartment will not appear in scans - often the right boundary for managed services. Update the policy when customers add compartments. OCI Vision never requires tenancy administrator access for compartment-scoped profiles.
Optional read rules when sections stay empty
The core all-resources policy covers most OCI Vision domains: compute, network, IAM, storage, databases, and standard service listings. A few sections rely on service-specific permissions. If Cost, Cloud Guard, or OS Management Hub data appears empty after a successful scan elsewhere, add targeted read statements - still read-only, never admin:
# Cost analysis (Usage API)
Allow group oci-vision-readers to read usage-report in tenancy
# Cloud Guard
Allow group oci-vision-readers to read cloud-guard-family in tenancy
# OS Management Hub
Allow group oci-vision-readers to read os-management-hub-family in tenancyAdd only the rules you need - skip services you do not use. The goal is minimum read access that fills the sections your team relies on.
Add the tenancy in OCI Vision
Register for a workspace if you have not already, then open Organization & Tenancies in the OCI Vision portal. Add a new OCI profile with:
- Profile name - a label your team recognises (e.g.
PRODUCTIONorCUSTOMER-A) - Region - the home region for API calls
- Tenancy OCID and User OCID - from the IAM user you created
- API key fingerprint - shown when you generated the signing key
- Private key PEM - the full contents of the downloaded key file
Confirm that the profile uses a dedicated read-only user before saving. Credentials are stored encrypted in your organisation workspace and used server-side for scan jobs - OCI Vision does not need your console password or SSO session.
Test the connection with Refresh
Navigate to Overview and click Refresh to run an on-demand scan. A successful connection populates resource counts and builds your searchable CI catalog. If one section stays empty while others fill in, add the optional read rule for that service - not admin credentials.
Common mistakes: wrong user OCID, mismatched fingerprint, or a region that does not match the tenancy home region. Fix the profile and refresh again. Schedule regular refreshes as part of your governance cadence and rotate API keys on your organisation's schedule.
Summary
Connecting OCI Vision correctly takes minutes and pays off every time you scan. Create group oci-vision-readers, attach inspect/read policies, provision user oci-vision-readonly with an API key, add the profile under Organization & Tenancies, and confirm with Refresh on Overview. Never use tenancy admin or personal logins. Scope to compartments when MSP boundaries require it, and add optional Cost or Cloud Guard read rules only when needed.