OCI-Tenant admin locked, how to reset your own password

OCI-Tenant admin locked, how to reset your own password

There are some of those days that you rely too heavily on password tools. Yes, you always should use different passwords and strong ones. But I won’t preach to you, but due to this, I locked myself out of my tenant admin user in the Oracle Cloud Infrastructure (OCI).

For those who have seen my OCI – talk already, you know I’m a big fan of the OCI – utility. Also a comprehensive list of things you can do with it, can be found in the Oracle documentation.

One thing you really should remember, your root compartment is a compartment just like any other. Except, this tenant admin controls your environment. So when you’re a bit confused this can happen:

When you can still reach your oci cli, then no harm is done. When you don’t have that one setup, or can’t reach it, you’re screwed and you’ll need to open an SR to ask to reset the password. This isn’t true for normal users, but this shows how to recover your gui-access to your tenant admin.

So… I am locked, how to get access again? To do so, go to the host you’re using to cli into your environment.

The oci cli has a subroutine iam, which is used for identity and access management. So this is what we’re going to use. Oci is very descriptive:

You see what we’re up to.

As we are currently locked out and the account is blocked, we need to

  • get the userid
  • unblock the account
  • reset the password

To get your user id you use oci user list command. To get this user list, you need to know the compartment-id. This is easily retrievable, but this goes out-of-scope of this blogpost. I usually store it temporarily in an environment variable:

I anonymised the output a bit here:

on line 12 we have the ID we’re looking for. Save that string in a wordpad, variable,… or whatever, but you need it in the next step.

Then unblock the user

And finally reset the password. This will generate a one time only password, which will allow you to login and set your new password.

The cool thing about doing it this way, is that the temporary password is not e-mailed, but just returned to you in json format.

Browse back to the OCI- console and login using your username and this temporary password and you will be redirected to the page to change your password again:

 

After that it’s piece of cake. Just follow the password rules and you’re in:

 

As always, questions, remarks? find me on twitter @vanpupi

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + seven =

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: