• Overview
• Setup and Retrieve Credentials
• Plug Into OCISigner
• Run Test Credentials
• Sign a Request
• Notes

Instance Principal auth is best for workloads tied to OCI Compute identity.

• If you come from AWS, this is similar to retrieving role credentials from EC2 IMDS.
• If you come from GCP, this is similar to retrieving identity material from Compute metadata.

In OCI, permissions for instance principal access are controlled by dynamic groups and IAM policies. Having access to identity material alone does not guarantee API permissions. Unlike AWS or GCP where an IAM principal is attached to an instance, you can think of OCI as placing compute instances into dynamic groups which in turn have permissions. The decision of whether a compute instance is in a dynamic group is based off conditionals attached to the dynamic group.

This page will:

• Show how to retrieve instance identity material from IMDS.
• Show how to map those values into the OCISigner profile.
• Demonstrate Test Credentials and Refresh Token.
• Demonstrate signing a normal request.

1. Start with an OCI Compute instance that has IMDS access enabled.

Figure 1. OCI Compute instance available for instance-principal testing.

2. SSH to the target instance first so the metadata requests are executed from the host itself.

ssh -i /path/to/private_key opc@<INSTANCE_PUBLIC_IP>

3. Retrieve identity material from IMDS on that host.

For IMDSv2, include Authorization: Bearer Oracle. For IMDSv1, use the same endpoints and commands without the header.

# X.509 material
curl -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/identity/cert.pem
curl -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/identity/key.pem
curl -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/identity/intermediate.pem

# Region + tenancy
curl -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/instance/regionInfo
curl -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/instance/tenantId

Useful shortcuts:

• http://169.254.169.254/opc/v2/identity returns identity material in a single response.
• http://169.254.169.254/opc/v2/instance returns broader instance metadata (including region context).

4. Save cert.pem, key.pem, and intermediate.pem to local files on the system running Burp/OCISigner.

1. Choose Auth Type = Instance Principal.
2. Set Leaf Cert, Leaf Key, and Intermediate Certs.
3. Set Federation Endpoint and optionally Tenancy OCID.
4. If you want to inspect federation traffic in Burp, enable Proxy federation request and set host/port. Note this proxy rule should only apply to the /v1/x509 request shown below and should be pointed to a port already actively proxying within Burp.
5. Click Save.

Figure 2. Instance Principal profile populated with X.509 and federation settings.

Federation endpoint notes:

• Commercial OCI often uses https://auth.<region>.oraclecloud.com.
• Government realms can use different domain components (for example oraclegovcloud.com) See the following.

1. Click Test Credentials in the profile.

Figure 3. Test Credentials action for Instance Principal profile.

2. OCISigner performs manual federation to /v1/x509 and retrieves a session token. Note the Disable TLS verify is checked in the iamge below unlike before in order to proxy through Burp Suite.

Figure 4. Successful test with cached session token and timestamps populated.

3. Review federation request/response in Logger if proxying is enabled.

Figure 5. Logger entry showing signed federation request to `/v1/x509`.

How /v1/x509 works in this workflow:

1. OCISigner builds a federation request containing the leaf certificate, intermediate certificate chain, and a newly generated session public key.
2. OCISigner signs the federation request using your leaf private key.
3. OCI returns a short-lived session token (JWT), which OCISigner stores as the cached session token.
4. Subsequent signed API requests use that session token and the generated session private key.

Use Refresh Token to force a new session token before expiry.

Figure 6. Refresh Token action in the Instance Principal profile.

Figure 7. Token expiry/created timestamps updated after refresh.

Figure 8. Logger entry for refreshed `/v1/x509` federation request.

1. Confirm signing is enabled, a valid token is cached, and the active profile is correct.

Figure 9. Signing enabled with instance-principal token available.

2. Send a request from Repeater or via Proxy.

Figure 10. Repeater request before signature is applied.

3. Confirm signature headers are added in Logger.

Figure 11. Signed request visible in Logger.

• Instance Principal test/refresh uses federation (/v1/x509) instead of the Object Storage namespace probe used by other auth methods.
• A session token alone is not sufficient across contexts; signing also depends on the generated session private key held in memory.
• In the UI, set the federation host (for example, https://auth.us-phoenix-1.oraclecloud.com); OCISigner appends /v1/x509 during federation calls.
• If Federation Endpoint is not set, OCISigner derives one from region (https://auth.<region>.oraclecloud.com).
• Proxy federation request and Disable TLS verify (federation) are mainly for debugging traffic through Burp.
• For actual API authorization, the instance must still be covered by dynamic-group and IAM policy rules.