Remediation

Remove API Keys From Tenancy Administrator Users

Delete active API keys from users in the tenancy Administrators group. If programmatic access is required, move the workload to a dedicated least-privileged identity, such as a scoped IAM user, instance principal, resource principal, or dynamic group.

From Oracle Cloud Console

Open Identity & Security.
Open Domains, select the relevant identity domain if applicable, and open Users.
Select the reported administrator user.
Open API Keys.
Delete each active API key that is no longer required.
Confirm that required automation has been moved to a least-privileged identity.

From OCI CLI

List the user's API keys:

oci iam api-key list --user-id {{user-ocid}} --all

Delete each active key by fingerprint after confirming that it is no longer required:

oci iam api-key delete \
    --user-id {{user-ocid}} \
    --fingerprint {{fingerprint}}

Run the list command again and confirm that no API keys remain in the ACTIVE lifecycle state for the tenancy administrator user.

Remove API Keys From Tenancy Administrator Users​

From Oracle Cloud Console​

From OCI CLI​

Remove API Keys From Tenancy Administrator Users

From Oracle Cloud Console

From OCI CLI