WIV OCI Integration: Cloud Shell Setup Guide
This document outlines the steps to set up Wiv’s read-only integration with your Oracle Cloud Infrastructure (OCI) tenancy using a Terraform script executed via OCI Cloud Shell. The Terraform configuration creates the following dedicated resources in your OCI tenancy for the Wiv platform:-
Service User:
wiv-service- Dedicated API-only user account.
- No console access.
- Contact email is stored for this user.
-
Service Group:
WivServiceGroup- Contains the
wiv-serviceuser. - Assigned the
WivServicePolicy.
- Contains the
-
Policy:
WivServicePolicy- Grants read-only permissions to
WivServiceGroup(see permissions list below).
- Grants read-only permissions to
-
API Key
- RSA key pair for secure API authentication.
- Public key is stored in OCI.
- Private key is exported to a credentials file.
-
Tag Namespace:
WivIntegration- Used for tracking and identifying the integration resources.
Permissions granted to Wiv (all read-only)
TheWivServicePolicy grants the WivServiceGroup read-only access across key areas:
| Resource Family | Verb/Access | Purpose |
|---|---|---|
| Cost & Billing | read usage-reports, read usage-budgets, inspect usage-reports | Cost optimization and viewing budget/usage data. |
| Compute | inspect instance-family, inspect instance-images | Infrastructure inventory (instances, configurations, pools, images). |
| Storage | inspect volume-family, inspect object-family | Storage resources (volumes, boot volumes, backups, Object Storage buckets). |
| Database | inspect database-family, inspect autonomous-database-family | Database resources (DB Systems, DB Homes, Autonomous Databases). |
| Network | inspect virtual-network-family | Network topology (VCNs, subnets, load balancers). |
| Monitoring | read metrics | Performance data metrics. |
| Governance | inspect compartments, inspect tenancies | Organization structure (compartments, tenancy information). |
Wiv security assurance: access limitations
Wiv’s access is strictly limited to ensure the security of your environment and data.What Wiv cannot do
- No Mutating Operations: Wiv is prohibited from performing any write, modify, or delete operations on your resources. All permissions are strictly for inspection or reading.
- No Sensitive Data Access: Wiv cannot read the contents of your storage buckets, database data, instance internals, or vault secrets. Access is limited to resource metadata, not the data itself.
Security controls and notes
- Zero Write Permissions: Wiv cannot create, modify, or delete any resources.
- Auditability: Every API call made by Wiv is logged in Governance → Audit. These logs can be filtered by Request Principal =
wiv-service. - Revocation: Access can be immediately and easily revoked by deleting the
wiv-serviceuser. - Access Method: Access is exclusively via API keys; Wiv has no console access or password.
OCI Cloud Shell setup steps
Open OCI
- Log into your OCI Console: https://cloud.oracle.com
- Click the Cloud Shell icon (terminal icon) in the top-right corner.
- Wait for the Cloud Shell to initialize (approximately 30 seconds).
Run setup script
Run the setup script. It will automatically detect your Tenancy OCID and Region.The script will prompt you for:
- Your Company Name: Enter your company name.
- Contact Email: Enter your email (this will be the email for the
wiv-serviceuser). - Environment: Press Enter for
prod.
Download credentials file
Once deployment is complete:
- Click the Cloud Shell menu (⋮) in the top-right.
- Select Download.
- Enter the filename:
wiv-credentials-[YourCompany]-prod.json - The file will download to your local computer.
Revoke access (if needed)
Access is immediately revoked upon user deletion.Option 1: Via Terraform (recommended)
Option 2: Via OCI Console
- Navigate to Identity → Users.
- Select
wiv-service. - Click Delete.