Data Connections

Connecting an Oracle Cloud Infrastructure (OCI) account

Overview

To onboard your OCI environment to DigiUsher, an IAM user with read-only access to cost, usage, resource, and metrics data is required. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.

OCI is FOCUS ready — DigiUsher fetches Cost and Usage Reports from the FOCUS Cost Report Schema.

Summary of Access Required

ComponentDetails
IdentityOCI IAM User (digiusher-service-user) — API-only, no Console password
AuthenticationAPI key pair (PEM private key + fingerprint)
Access levelRead-only — all policies use the read verb only
ScopeTenancy-wide
BillingRead-only access to cost and usage reports
Data accessCost and Usage Reports via Oracle's cross-tenancy bucket (FOCUS format only)
CapabilityWhat It Provides
Billing dataCost analytics, chargeback/showback, budgeting, forecasting, anomaly detection
Resource inventoryAsset discovery, idle resource detection, tag-based cost allocation
Optimization recommendationsRightsizing, commitment analysis, idle resource cleanup
Utilization metricsCPU, memory, network, disk usage for rightsizing analysis

DigiUsher cannot create, modify, or delete any of your OCI resources.

Use OCI Resource Manager for the fastest setup

DigiUsher strongly recommends the OCI Resource Manager automation for the most efficient and reliable setup. It automates the entire process in ~2 minutes, and the deployment's Terraform state — including the generated API key — stays in Oracle's managed backend, never on your machine.

You can deploy with one click from the OCI Console, or run the same deployment from your terminal with the onboard.sh script.

Repository: https://github.com/digiusher/digiusher-iac/

If your organization's policies require manual resource provisioning, follow the steps below.


Prerequisites

Information to Gather

ItemHow to Find
Tenancy OCIDOCI Console > Administration > Tenancy Details
Home Regione.g. us-ashburn-1 — shown in Tenancy Details

Roles Required by the Person Performing Setup

RoleWhy
Tenancy AdministratorTo create IAM users, groups, and policies

Network & Email Access (For Regulated Environments)

If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:

  • Domain allowlist: Add *.digiusher.com to your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers.
  • Email allowlist: Add digiusher.com as an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from @digiusher.com addresses.

One-Click Deploy (Console)

Deploy to Oracle Cloud
  1. Click the button above (you'll be redirected to the OCI Console)
  2. Log in to your OCI tenancy
  3. Review the pre-filled configuration and adjust if needed
  4. Click Create to deploy the stack
  5. Wait for the stack to complete (~2 minutes)
  6. Continue to After Deploy

Scripted Deploy (onboard.sh)

Prefer the command line? With the OCI CLI configured (plus jq and zip installed), onboard.sh runs the same Resource Manager deployment from your terminal — no Terraform install required, and state stays managed by Oracle.

git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/oci
./onboard.sh

The script prompts for your tenancy OCID, region, and service-user email (auto-filling the first two from ~/.oci/config), runs the deployment, prints the credential values, and writes the private key to digiusher-oci-private-key.pem. To tear down later, run ./onboard.sh --destroy.

After Deploy

The API signing key is generated automatically by the deployment — there is no manual Console step. Retrieve your credentials:

  • One-click (Console): open the stack's Outputs tab and copy the values from digiusher_onboarding (tenancy OCID, user OCID, region, fingerprint) and digiusher_private_key (click to reveal the masked private key).
  • Scripted (onboard.sh): use the credential values the script prints, plus the digiusher-oci-private-key.pem file it writes.

Then continue to Connect in DigiUsher to finish the connection.

See the digiusher-iac README for full documentation including parameters, feature flags, and troubleshooting.


Option B: Manual Setup

Follow these steps if you prefer to set up via the OCI Console.

Step 1: Create IAM Group

  1. Go to OCI Console > Identity > Domains
  2. Select Default domain
  3. Go to User Management > Groups
  4. Click Create Group
  5. Configure:
    • Name: digiusher-finops-group
    • Description: DigiUsher FinOps platform - read-only access for cost analytics and optimization OCI Create Group form
  6. Click Create

Step 2: Create IAM User

  1. Go to OCI Console > Identity > Domains
  2. Select Default domain
  3. Go to User Management > Users. Click on Create.
  4. Configure:
    • Name: digiusher-service-user
    • Description: Service user for DigiUsher FinOps platform
    • Email (required by OCI): Use something like digiusher-svc-oci@YOUR_COMPANY_NAME.com
  5. Add the user to the digiusher-finops-group you created in the previous step. OCI Create User form with group assignment
  6. Click Create

Step 3: Create IAM Policies

Create the following two policies under Identity > Policies > Create Policy.

For each policy, set Compartment to your root compartment (tenancy level).

OCI requires define/endorse statements to be in a separate policy from Allow statements. Create the following two policies at the tenancy (root compartment) level.

Policy 1: Cost Report Cross-Tenancy Access

Grants read access to Oracle's cost reporting tenancy for FOCUS cost reports. The OCID below is Oracle's cost reporting tenancy — it is the same for all OCI customers.

define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group digiusher-finops-group to read objects in tenancy usage-report

Policy 2: DigiUsher Access Policy

Grants read access to usage reports, budget data, resource metadata, and monitoring metrics.

Allow group digiusher-finops-group to read usage-report in tenancy
Allow group digiusher-finops-group to read usage-budgets in tenancy
Allow group digiusher-finops-group to read all-resources in tenancy
Allow group digiusher-finops-group to read metrics in tenancy

All policies are strictly read-only. Nothing can be modified, deleted, or created in your environment.

Note

If you leave out the last two statements (all-resources and metrics), DigiUsher will not be able to provide optimization recommendations, rightsizing suggestions, or utilization-based insights.

Below is a screenshot showing the policy creation in the OCI Console. Click Create Policy, fill in the name, description, set compartment to root, switch to the manual editor, and enter the policy statements:

OCI Create Policy with manual editor and statements

Step 4: Generate API Key

This step applies to Manual setup (Option B) only. If you used OCI Resource Manager (Option A), the API key was generated automatically — skip ahead to Connect in DigiUsher.

  1. Go to OCI Console > Identity > Users
  2. Click on digiusher-service-user (or the name you configured) OCI Users list
  3. Under Resources, click API Keys OCI API Keys tab
  4. Click Add API Key
  5. Select Generate API Key Pair
  6. Click Download Private Key and save the .pem file securely OCI Add API Key dialog
  7. Click Add
  8. A Configuration File Preview will be displayed with user OCID, fingerprint, tenancy OCID, and region. Save these details by clicking the copy button. OCI Configuration File Preview

Important

The private key is only shown once. Store it securely.


Connect in DigiUsher

After completing either Option A or B, enter the following into the DigiUsher platform to complete the connection:

FieldOCI Resource Manager (Option A)Manual Setup (Option B)
Tenancy OCIDdigiusher_onboarding.tenancy_ocid outputAdministration > Tenancy Details
User OCIDdigiusher_onboarding.user_ocid outputIdentity & Security > Users > digiusher-service-user
Regiondigiusher_onboarding.region outpute.g. us-ashburn-1, shown in Tenancy Details
Fingerprintdigiusher_onboarding.key_fingerprint outputDisplayed in the Configuration File Preview after adding the API key
Private Key (PEM)digiusher_private_key output, or the onboard.sh fileContents of the downloaded .pem file
Compartment OCID (optional)Leave blank to ingest the whole tenancyLeave blank, or set to scope ingestion to a single compartment

Verification Checklist

  • IAM group digiusher-finops-group created
  • IAM user digiusher-service-user created and added to the group
  • Policy 1: cost report cross-tenancy endorse created
  • Policy 2: DigiUsher access policy created
  • API key present on the user (auto-generated by Resource Manager, or manually added for Option B)
  • All required credential values entered into the DigiUsher platform
  • *.digiusher.com allowlisted in network/firewall (if applicable)
  • digiusher.com allowlisted for incoming email (if applicable)

Security

What DigiUsher CAN Access (Read-Only)

  • Cost and usage reports (FOCUS format) via Oracle's cross-tenancy bucket
  • Budget data
  • Resource metadata (names, types, regions, tags) via Resource Search API
  • Utilization metrics (CPU, memory, network, disk) via OCI Monitoring
  • Organization and compartment hierarchy

What DigiUsher CANNOT Do

  • Create, modify, or delete any OCI resources
  • Access application data, databases, or storage contents
  • Modify IAM policies or permissions
  • Read secrets, credentials, or encryption keys
  • Access network traffic or logs content
  • Make purchases or modify billing settings

Monitoring

Monitor service account activity in OCI Console > Identity & Security > Audit, filtering by user digiusher-service-user.

Credential Rotation

  • OCI Resource Manager: Run ./onboard.sh --destroy followed by ./onboard.sh (or destroy and recreate the stack in the Console). This issues a fresh key pair — supply the new private key and fingerprint to DigiUsher.
  • Manual: Go to Identity & Security > Users > digiusher-service-user > API Keys > Add API Key (generate new), then delete the old key. Enter the new key details into the DigiUsher platform.

Revocation

  • OCI Resource Manager (script): ./onboard.sh --destroy — removes the user, group, all policies, and invalidates the API key together.
  • OCI Resource Manager (Console): Go to Developer Services > Resource Manager > Stacks > select the DigiUsher stack > Destroy.
  • Manual: Delete the digiusher-service-user user in Identity & Security > Users. This instantly invalidates the API key and associated group membership. Then remove the digiusher-* policies.

Troubleshooting

"Authorization failed" when creating policies

You need tenancy administrator access. Ensure you are logged in as an administrator or have manage permissions on users, groups, and policies.

"Policy statement is invalid"

The cross-tenancy endorse and define statements must be in a separate policy from Allow statements. Verify that Policy 1 statements are not mixed with those in Policy 2.

DigiUsher reports "Unable to access cost reports"

  1. Verify the endorse policy exists under Identity & Security > Policies
  2. Ensure the API key fingerprint matches what's configured in DigiUsher
  3. Confirm the private key PEM content was copied completely (including -----BEGIN and -----END lines)
  4. Cost reports may take up to 24 hours to appear for new tenancies

Memory metrics not available

Memory metrics require the Oracle Cloud Agent with the Compute Instance Monitoring plugin enabled on your instances. This is enabled by default on most platform images but may need manual activation on custom images.


Need Help?

If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.