Skip to main content


Ensure API keys are not created for tenancy administrator users (Automated)


Tenancy administrator users have full access to the organization's OCI tenancy. API keys associated with user accounts invoke the OCI APIs via custom programs or clients like CLI/SDKs. The clients are typically used for performing day-to-day operations and should never require full tenancy access. Use service-level administrative users with API keys instead.


From Console:

  1. Login to OCI console.
  2. Select Identity from Services menu.
  3. Select Users from Identity menu, or select Domains, select a domain, and select Users.
  4. Select the username of a tenancy administrator user with an API key.
  5. Select API Keys from the menu in the lower left-hand corner.
  6. Delete any associated keys from the API Keys table.
  7. Repeat steps 3-6 for all tenancy administrator users with an API key.

From CLI:

  1. For each tenancy administrator user with an API key, execute the following command to retrieve API key details:
oci iam user api-key list --user-id <user_id>
  1. For each API key, execute the following command to delete the key:
oci iam user api-key delete --user-id <user_id> --fingerprint <api_key_fingerprint>
  1. The following message displays:
Are you sure you want to delete this resource? [y/N]:
  1. Type 'y' and press 'Enter'.