Skip to main content

Rotate the OCI API Key

To allow Lacework to interact with Oracle Cloud, you need to have created an API key for Lacework when first configuring the integration. As a best practice, you should rotate this OCI API key every 90 days or less. After rotating the Lacework user API key, you'll need to upload the new private key to Lacework, as described here.

Note that if you rotate keys during a Lacework resource collection event, collection will fail. To prevent this possibility, avoid performing these steps during or soon after your scheduled resource collection time.

You can view your configured collection time in the Lacework Console by navigating to Setting > Configuration > General. The time is indicated in the Resource Management Collection Schedule settings. For best results, perform the steps below 12 hours after the time shown. In other words, if your collection is scheduled for every 24 hours at 0100 GMT, perform these steps at 1300 GMT.

To rotate your Lacework user OCI API key, follow these steps:

  1. Generate the new key in OCI and upload the public key to OCI, as described in Step 5: Generate and Upload the OCI API Key.

  2. Create a private key file that contains the private key and the fingerprint of your API key, in the following format:

    "data": {
    "credentials": {
    "fingerprint": "e0:8b:66:0b:2d:02:f0:c7:4c:9e:dc:60:06:f7:23:d3",
    "privateKey": "...."

    Be sure to replace the values shown with the fingerprint and private key of your new API key.

  3. Upload the private key to Lacework. Given a file named lacework_payload.json with the contents shown in the previous step, you can use the following command to upload the key:

    lacework api patch /api/v2/CloudAccounts/<account_id> -d "$(cat ./lacework_payload.json)"

    Replace <account_id> with the ID of your Lacework account.

  4. Finally, delete the old Lacework API public key from OCI.