Skip to main content

Add the OCI Integration

After configuring a user for Lacework in OCI, you can use that user's credentials to integrate an OCI Tenant with Lacework, as described here.

These instructions describe how to integration Lacework and OCI using two alternative methods:

tip

To avoid errors, we recommend first trying the Lacework-provided Terraform. See Integrate OCI Using Terraform for more information.

Requirements

Before starting, make sure you have created a user in OCI for Lacework.

Access the OCI console and download the private key for the Lacework OCI user. To learn more about creating and managing keys in OCI, see Required Keys and OCIDs in the Oracle documentation.

Integrate an OCI Tenant with the Lacework Console

After creating and configuring a user for Lacework, integrate OCI tenants with Lacework in the Lacework Console as follows:

  1. Log in to the Lacework Console as a user with cloud accounts write permissions.
  2. Go to Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Oracle Cloud Infrastructure.
  5. Click Next.
  6. Enter a name for the integration.
  7. For the OCI Credentials, upload a PEM of the OCI private key associated with the Lacework user you created in OCI in Set up a Lacework User in OCI. Be sure to include the prefix, "-----BEGIN PRIVATE KEY-----" and postfix, "-----END PRIVATE KEY-----".
  8. Enter the fingerprint of the public key associated with the Lacework user.
  9. Choose the home region for the integrated OCI account, and then the tenant ID and tenant name of the integrated account.
  10. For the OCID, enter the Oracle-assigned unique ID for the Lacework user you created and click Save.

The new integration now appears in the Cloud accounts page.

Integrate an OCI Tenant with the Lacework API

After creating and configuring a user for Lacework, integrate OCI tenants with Lacework as follows:

  1. Follow the steps in API Access Keys and Tokens to create an API key in the Lacework Console.

  2. Download the API key and use the key ID and secret to generate an API access token. For more information, see Generate Access Tokens in the Lacework API documentation.

    Use the generated API access token for all subsequent API requests, including create, update, and delete OCI_CFG cloud accounts. For more information, see Cloud Accounts API documentation.

  3. Now add an account. To add an account, send configuration data as the body payload to the following endpoint: POST https://{your.lacework.url}.lacework.net/api/v2/CloudAccounts. The body data is in the following format: 

    {
      "name": "{INTEGRATION_NAME}",
      "type": "OciCfg",
      "enabled": 1,
      "data": {
         "homeRegion": "{us-sanjose-1}",
         "tenantId": "{ocid1.tenancy.oc1..your_id}",
         "tenantName": "{TENANT_NAME}",
         "userOcid": "{ocid1.user.oc1..your_id}",
         "credentials": {
               "fingerprint": "{FINGERPRINT}",
               "privateKey": "{YOURKEY}"
         }
      }
    }

    Since the format of configuration values in JSON may be error prone, especially formatting the private key, Lacework provides a helper script that formats the JSON body data for you. You only need to provide a few settings and run the script. To do so, follow these steps:

    1. Download the following script from the Lacework scripts repository: lacework_integration_payload.

    2. Edit the script, replacing the following placeholder values with values appropriate for your environment:

      LACEWORK_OCI_USERNAME="<user_ocid>"
      OCI_TENANCY_OCID="<tenancy_ocid>"
      OCI_HOME_REGION="<home_region>"
      OCI_TENANT_NAME="<tenant_name>"
      LACEWORK_PRIVATE_KEY_PATH="<private_key_path>"
      LACEWORK_PRIVATE_KEY_FINGERPRINT="<fingerprint>"

      Notice that you only need to provide the path to your private key file, not the value of the key itself.

    3. Make sure the script is executable and run the script:

      chmod u+x lacework_integration_payload.sh
      ./lacework_integration_payload.sh

      The script produces a file named lacework_payload.json in the current directory, which you can use as the body payload for the OCI integration API call.

    4. Now call the API using the Lacework CLI, passing the generated file. For example, using curl, the command would be: 

      lacework api post /api/v2/CloudAccounts -d "$(cat lacework_payload.json)"

      If the request succeeds, you should get a response that shows the values you configured.

      note

      If you choose not to use the script, Lacework recommends using a clipboard tool like pbcopy, xclip, or similar when pasting your private key value in a request (for example, cat ~/.oci/oci_api_key_lacework.pem | pbcopy). The privateKey value has multi-lines, so be sure to escape each new line with \n, for example, abc\nabc\nabc…. Also, tenantName should match that of your Oracle Cloud Infrastructure.

    5. Check the integration validated successfully by running the following command and checking for the new cloud integration in the output:

      lacework cloud-accounts list

OCI integration is now configured. After Lacework's next resource collection cycle, you can query OCI data with LQL via the Lacework CLI.

Remove an OCI Integration

To remove the integration, use the following command, replacing <integration_guid> with the GUID for the OCI account integration:

lacework cloud-accounts delete <integration_guid>

Next Steps

Now provision access to OCI resources in Lacework. Also, see OCI Frameworks for details on how to check whether your resources are compliant with CIS and other regulatory benchmarks.

Last updated on