AI Docs

Configuring OCI Data Sources

6 min read

This guide explains how to connect your Oracle Cloud Infrastructure (OCI) tenancy to CerteroX for cost management and resource discovery. The integration reads OCI Cost Reports (automatically generated CSV files stored in Oracle-owned Object Storage) and discovers resources across your compartments and regions.

Step 1: Find Your Tenancy OCID and Home Region

  1. Sign in to the OCI Console.

  2. Open the Profile menu (your avatar in the top-right corner) and click Tenancy: <your tenancy name>.

  3. On the Tenancy Details page:

    • Copy the OCID value (it starts with ocid1.tenancy...).

    • Note the Home Region value (e.g. us-ashburn-1, eu-frankfurt-1).

You will need both values when creating the data source in CerteroX.

Tip: Your home region is also shown in the OCI Console header — it is marked with a home icon in the region selector.

Step 2: Create an API User

Create a dedicated user for CerteroX, or use an existing user with appropriate permissions.

  1. In the OCI Console, open the navigation menu and go to Identity & Security > Domains.

  2. Select your domain (e.g. Default).

  3. Click the User management tab.

  4. Click Create.

  5. Enter a name (e.g. certerox-api-user), email address, and a description.

  6. Click Create.

  7. On the user details page, the OCID is shown on the Details tab — click Copy next to it to copy the value (it starts with ocid1.user...).

Step 3: Generate an API Signing Key

OCI uses RSA key pairs for API authentication. You need to generate a key pair and upload the public key to the API user.

Option A — Generate via the OCI Console

  1. In the OCI Console, navigate to Identity & Security > Domains and select your domain.

  2. Click the User management tab and select the user you created in Step 2.

  3. On the user details page, click the API keys tab.

  4. Click Add API Key.

  5. Select Generate API Key Pair.

  6. Click Download Private Key and save the PEM file securely.

  7. Click Add.

  8. The console displays a configuration file preview — copy the fingerprint value for use later.

Option B — Generate locally using OpenSSL

  1. Generate a 2048-bit RSA private key:

openssl genrsa -out oci_api_key.pem 2048

  1. Extract the public key:

openssl rsa -pubout -in oci_api_key.pem -out oci_api_key_public.pem

  1. In the OCI Console, navigate to Identity & Security > Domains > select your domain > User management tab and select your API user.

  2. Click the API keys tab, then click Add API Key.

  3. Select Paste Public Key and paste the contents of oci_api_key_public.pem.

  4. Click Add.

  5. Copy the fingerprint value displayed.

Important: Store the private key file securely. You will need to paste its full contents (including the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines) into CerteroX.

Step 4: Configure IAM Policy for Cost Reports

OCI Cost Reports are stored in an Oracle-owned Object Storage bucket. You need an IAM policy to grant your API user access to read these reports.

First, ensure the API user is in a group:

  1. In the OCI Console, navigate to Identity & Security > Domains and select your domain.

  2. Click the User management tab and scroll down below the Users section to the Groups section.

  3. Click Create group (e.g. CerteroX-Group) and add the API user to the group.

Then create the policy:

  1. In the OCI Console, navigate to Identity & Security > Policies.

  2. Ensure you are in the root compartment (select it from the compartment picker on the left).

  3. Click Create Policy.

  4. Enter a name (e.g. CerteroX-CostReports) and a description.

  5. In the Policy Builder, switch to manual editor and add the following statements:

define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group <your_domain_name>/<your_group_name> to read objects in tenancy usage-report

Replace <your_domain_name> with your identity domain name (e.g. Default) and <your_group_name> with the group name (e.g. CerteroX-Group).

  1. Click Create.

Note: The tenancy OCID in the policy statement above is Oracle's fixed usage-report tenancy — it is the same for all OCI customers. Do not replace it with your own tenancy OCID. This value is published in the Oracle documentation on accessing cost reports.

Step 5: (Optional) Grant Resource Discovery Permissions

CerteroX can discover and inventory OCI resources (compute instances, volumes, buckets, load balancers, etc.) in addition to collecting cost data. To enable this, add a policy granting read access to resources:

  1. In the OCI Console, navigate to Identity & Security > Policies (in the root compartment).

  2. Edit the policy you created in Step 4, or create an additional policy.

  3. Add the following statement:

allow group <your_domain_name>/<your_group_name> to read all-resources in tenancy

Note: If you prefer a more restrictive policy, you can grant read access to specific resource types only (e.g. read instances, read volumes, read buckets).

Step 6: Create the OCI Data Source in CerteroX

  1. Log in to CerteroX and navigate to Settings > Data Sources.

  2. Click Actions and select Add.

  3. Select Oracle Cloud.

  4. Fill in the following fields:

Field

Required

Description

Field

Required

Description

Name

Yes

A meaningful name to identify this data source (e.g. "OCI Production").

Tenancy OCID

Yes

Your tenancy OCID from Step 1 (starts with ocid1.tenancy...).

User OCID

Yes

The API user OCID from Step 2 (starts with ocid1.user...).

Fingerprint

Yes

The API key fingerprint from Step 3.

Private Key

Yes

The full contents of the PEM private key file from Step 3, including the BEGIN/END lines.

Region

Yes

Your home region identifier from Step 1 (e.g. us-ashburn-1).

  1. Click the Connect button.

Step 7: Verify the Connection

  1. Return to Settings > Data Sources in CerteroX.

  2. Click on your OCI data source.

  3. Check the Status indicator — it should show as connected.

  4. Navigate to the Advanced tab to view detailed data ingestion information.

Note: OCI Cost Reports are generated every 6 hours and retained for 1 year. Initial cost data may take some time to appear depending on when the last report was generated. New tenancies may not have reports available immediately.

What Data is Collected

Cost Data

CerteroX reads OCI Cost Reports from Oracle-owned Object Storage. These reports contain detailed billing line items including:

  • Per-resource costs — broken down by service (Compute, Block Storage, Object Storage, Database, Networking, etc.).

  • Compartment attribution — costs attributed to OCI compartments.

  • Resource tags — freeform and defined tags applied to resources are preserved for cost allocation.

  • Usage quantities — billed quantities alongside costs.

Resource Discovery

When permissions are configured (Step 5), CerteroX also discovers resources across all regions and compartments:

  • Compute instances (running and stopped)

  • Block volumes and volume backups

  • Object Storage buckets

  • Public IP addresses

  • Load balancers

Troubleshooting

Error

Cause

Resolution

Error

Cause

Resolution

Failed to connect to OCI

Invalid credentials (tenancy OCID, user OCID, fingerprint, or private key)

Verify all credential values. Ensure the private key matches the public key uploaded to the user's API Keys.

Access denied to cost reports

Missing or incorrect IAM policy

Ensure the endorsement policy is configured in the root compartment as described in Step 4.

No cost report files found

New tenancy or reports not yet generated

OCI generates cost reports every 6 hours. Wait for the next report cycle. New tenancies may take up to 24 hours.

Cost reports not found (404)

IAM policy not configured

Create the endorsement policy to allow reading objects from the usage-report tenancy (see Step 4).