Configure IAM Proxy Authentication
Proxy authentication allows an IAM user to proxy to a database schema for tasks such as application maintenance.
About Configuring IAM Proxy Authentication
IAM users can connect to Oracle DBaaS by using proxy authentication.
Proxy authentication is typically used to authenticate the real user and then authorize them to use a database schema with the schema privileges and roles in order to manage an application. Alternatives such as sharing the application schema password are considered insecure and unable to audit which actual user performed an action.
A use case can be in an environment in which a named IAM user who is an application database administrator can authenticate by using their credentials and then proxy to a database schema user (for example, hrapp). This authentication enables the IAM administrator to use the hrapp privileges and roles as user hrapp in order to perform application maintenance, yet still use their IAM credentials for authentication. An application database administrator can sign in to the database and then proxy to an application schema to manage this schema.
You can configure proxy authentication for both the password authentication and token authentication methods.
Configure Proxy Authentication for the IAM User
To configure proxy authentication for an IAM user, the IAM user must already have a mapping to a global schema (exclusive or shared mapping). A separate database schema for the IAM user to proxy to must also be available.
After you ensure that you have this type of user, alter the database user to allow the IAM user to proxy to it.
-
Log in to the Autonomous AI Database instance as a user who has the
ALTER USERsystem privileges. -
Grant permission for the IAM user to proxy to the local database user account.
An IAM user cannot be referenced in the command so the proxy must be created between the database global user (mapped to the IAM user) and the target database user.
In the following example,
hrappis the database schema to proxy to, andpeterfitch_schemais the database global user exclusively mapped to userpeterfitch.ALTER USER hrapp GRANT CONNECT THROUGH peterfitch_schema;
At this stage, the IAM user can log in to the database instance using the proxy. For example, to connect using a password verifier:
CONNECT peterfitch[hrapp]@connect_string
Enter password: passwordTo connect using a token:
CONNECT [hrapp]/@connect_stringValidate the IAM User Proxy Authentication
You can validate the IAM user proxy configuration for both password and token authentication methods.
-
Log in to the Autonomous AI Database instance as a user who has the
CREATE USERandALTER USERsystem privileges. -
Connect as the IAM user and run the
SHOW USERandSELECT SYS_CONTEXTcommands.For example, suppose you want to check the proxy authentication of the IAM user
peterfitchwhen they proxy to database userhrapp. Run the following queries after you proxy to the database using an IAM user. Depending on how you authenticate and access the database, you will get different values for these queries.-
For password authentication, assuming the IAM user is in the default domain:
CONNECT peterfitch[hrapp]/password!@connect_string SHOW USER; --The output should be USER is "HRAPP" SELECT SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') FROM DUAL; --The output should be "PASSWORD_GLOBAL_PROXY" SELECT SYS_CONTEXT('USERENV','PROXY_USER') FROM DUAL; --The output should be "PETERFITCH_SCHEMA" SELECT SYS_CONTEXT('USERENV','CURRENT_USER') FROM DUAL; --The output should be "HRAPP" -
For token authentication, for a user who is in a non-default domain,
sales_domain:CONNECT [hrapp]/@connect_string SHOW USER; --The output should be USER is "HRAPP" SELECT SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') FROM DUAL; --The output should be "TOKEN_GLOBAL_PROXY" SELECT SYS_CONTEXT('USERENV','PROXY_USER') FROM DUAL; --The output should be "PETERFITCH_SCHEMA" SELECT SYS_CONTEXT('USERENV','CURRENT_USER') FROM DUAL; --The output should be "HRAPP"
-