Challenge 1 - Task 1 of 5 Authorize OCI Resources to Retrieve the Secret from the Vault Scenario: You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault. Preconfigured: To complete this requirement, you are provided with: An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP. An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault. A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment. Access to Cloud Shell. Permissions to perform only the tasks within the challenge. Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021 -C01 and Region us-ashburn -1. Complete the following tasks in the OCI environment provisioned: Create Master Encryption Key with the name my_pbt_msk with 256 bits shape. Create a Secret with the name my-pbt-secret_99234021 -lab.user01 and secret content. For example: If your user name is 99346163 -lab.user02, then the secret should be named as my-pbt- secret_99346163 -lab.user02. ee the solution below in Explanation: Explanation. SOLUTION: From the navigation menu, select "Identity & Security" and then click "Vault." From the left navigation pane, under "List Scope," select the working compartment from the "Compartment" drop -down menu. Select "PBT_Vault_SP." From the left navigation pane under "Resources," click "Master Encryption Keys," and then click "Create Key." On the "Create Key" page, enter the following details: Create in compartment: <your working compartment> Protection Mode: HSM Name: my_pbt_msk Key Shape: Algorithm (Accept the default values) Key Shape: Length (256 bits) Click "Create Key" to save. "It will take about a minute to create the master encryption key. The keys will go through the Creating state to the Active state." From the left navigation pane under "Resources," select "Secrets" and click "Create Secret." On the "Create Secret" page, enter the following details: Create in compartment: <your working compartment> Name: my -pbt-secret_99234021 -lab.user01 Description: "My application secret key" Encryption Key: Select the my_pbt_msk key created earlier. Secret Contents: <Your secret here> Click "Create Secret." After the secret is created, click "my-pbt-secret_99234021 -lab.user01." Click the "Copy" link located to the right of the Secret Key's OCID value. Later, it will be included in a Python script. "Sample: ocid1.vaultsecret.oc1.iad.XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Challenge 1 - Task 2 of 5 Authorize OCI Resources to Retrieve the Secret from the Vault Scenario You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a good security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault. Preconfigured: To complete this requirement, you are provided with: An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP. An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault. A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment. Access to Cloud Shell. Permissions to perform only the tasks within the challenge. Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021 -C01 and Region us-ashburn -1. Complete the following task: In the field below, write the IAM policy, which allows a program running on a computer instance (principal instance) to retrieve a secret from the OCI Vault. ee the solution below in Explanation: Explanation. ALLOW dynamic -group PBT_Dynamic_Group_SP TO read secret -family IN COMPARTMENT 99234021 - C01
Challenge 1 - Task 3 of 5 Authorize OCI Resources to Retrieve the Secret from the Vault Scenario You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault. Preconfigured To complete this requirement, you are provided with: An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP. An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault. A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment. Access to Cloud Shell. Permissions to perform only the tasks within the challenge. Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021 -C01 and Region us-ashburn -1. Complete the following task in the OCI environment provisioned: Create a new VCN with the name PBT_SECRET_VCN01 and public subnet within your assigned compartment. Explanation: ee the solution below in Explanation. SOLUTION: From the navigation menu, select Networking and then click Virtual Cloud Network. From the left navigation pane, under List Scope, select your working compartment from the drop - down menu. Click Start VCN Wizard. Select Create VCN with Internet Connectivity and click Start VCN Wizard. On the Configuration page, enter the following: Name: PBT_SECRET_VCN01 Compartment: your compartment name Note: Leave all the other options in their default setting. Click Next. Verify the details on the Review and Create page. Click Create to start creating the VCN and its resources. Click View Virtual Cloud Network to verify the creation of the VCN and its resources. You can now see that the VCN has been successfully created and is in the Available state, with the following components: VCN, Public subnet, Private subnet, Internet gateway, NAT gateway, Service gateway.
Challenge 1 - Task 4 of 5 Authorize OCI Resources to Retrieve the Secret from the Vault Scenario You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault. Preconfigured To complete this requirement, you are provided with: An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP. An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault. A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment. Access to Cloud Shell. Permissions to perform only the tasks within the challenge. Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021 -C01 and Region us-ashburn -1. Complete the following tasks in the OCI environment provisioned: Create a Linux Instance with the name [Provide Name Here] within the compartment. Under placement, select the availability domain AD2. Select Shape as VM.Standard2.1. Provide your own public key to SSH the instance. ee the solution below in Explanation: Explanation. SOLUTION: From the navigation menu, select Compute and then click Instances. From the left navigation pane, under List Scope, select your working compartment from the drop - down menu. Click Create Instance. In the Create Instance dialog box, provide the following details: Name: my_pbt_linux Create in compartment: Select your work compartment name. Placement: Select AD2. Image: Oracle Linux 8 Shape: Click Change shape; then select Ampere shape series and select VM.Standard2.1. Networking: Pick your PBT_SECRET_VCN01 and Public Subnet. Public IP address: Assign a Public IPv4 address. Generate SSH Keys. Click Generate a key pair for me. Click Save private key (This will save the private key to your local workstation). Click create. Note: After a couple of minutes, you can see that the instance has been successfully created and the status is Running. After the instances are provisioned, details about it appear in the instance list. Copy and save the Public IP addresses, which will be required to connect to the instance using SSH.
Challenge 1 - Task 5 of 5 Authorize OCI Resources to Retrieve the Secret from the Vault Scenario You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault. Preconfigured To complete this requirement, you are provided with: An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP. An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault. A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment. Access to Cloud Shell. Permissions to perform only the tasks within the challenge. Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021 -C01 and Region us-ashburn -1. Explanation: ee the solution below in Explanation. SOLUTION: Select the Developer Tools icon at the right of the OCI console header and click Cloud Shell to launch your Cloud Shell. While Cloud Shell is launching, take a moment to locate the public and private keys that you downloaded to your workstation in the previous section. Example Public Key name: ssh-key-<date>.key.pub Example Private Key name: ssh-key-<date>.key Once the Cloud Shell window is open, upload the private key to the Cloud Shell: Click the Settings icon in the top-right corner of the Cloud Shell window and click Upload. Navigate to and select the private key. Either drag the private key to the Drop a file window or click Select from your computer, select the private key, and click Upload. Change the private key permissions by issuing the following command: chmod 400 <private key name>.key Retrieve the Public IP address of the instance that you created in the previous section and paste it to connect to the instance using the opc user in the Cloud Shell. ssh -i <private key name> opc<public IP address of instance> After connecting to the compute instance, run the following commands to install/verify Python and OCI CLI packages on the Linux Instance. sudo dnf -y install oraclelinux -developer -release -el8 sudo dnf install python36 -oci-cli After installing Python and the required dependencies, download the Python script to retrieve the secret. wget https://objectstorage.us -ashburn - 1.oraclecloud.com/n/ocuocictrng5/b/PBT_Storage/o/getsecret.py Open a Python file with a nano editor. nano getsecret.py In the Python script, replace the secret ID ocid with your secret ID. Replace secret id value below with the ocid of your secret secret id = <secret id> For example: Secret id = “ocid1.vaultsecret.oci.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Note: if you have not already copied the secret ID, go to Vault and select the Secret link from the resources. Then, in List Scope, choose <your working compartment>, click your secret key, and copy the OCID. To save the script hit: Ctrl+o > Enter [To write/save] Ctrl+x > Yes > Enter [To exit] Make the getsecret .py script executable. chmod +x getsecret.py Run the following command to retrieve the secret: python getsecret.py The secret content created in the vault has been retrieved by the application running on the instance. Instance Principal and the Vault enable you to abstract the difficulty of developing your own security strategy for storing and encrypting passwords and other sensitive information.
When creating an OCI Vault, which factors may lead to select the Virtual Private Vault? Select TWO correct answers
