Stop Hard-Coding Passwords
Every Oracle application needs credentials: database passwords, API keys, OAuth secrets, encryption keys. Storing these in configuration files, PL/SQL packages, or application properties is a security risk that grows as your team and deployment footprint expand. OCI Vault provides centralized, encrypted secrets management with access control, rotation, and audit logging.
OCI Vault Concepts
A Vault is a container for keys and secrets, protected by hardware security modules (HSMs). A Master Encryption Key protects the secrets stored in the vault. A Secret is a credential (password, API key, certificate) stored in encrypted form. Secrets support versioning, so you can rotate credentials without downtime by creating a new version while the old version remains available during the transition period.
Storing a Secret
In the OCI Console, navigate to Identity & Security, then Vault. Create a vault and a master encryption key. Then create a secret:
Secret Name: db-api-password. Secret Type: Plain Text. Content: your actual password. The secret is encrypted with the master key and stored securely.
Retrieving Secrets in PL/SQL
From Autonomous Database, use DBMS_CLOUD to retrieve secrets at runtime:
DECLARE
l_secret_value VARCHAR2(4000);
BEGIN
l_secret_value := DBMS_CLOUD.GET_SECRET(
credential_name => 'OCI_CRED',
secret_id => 'ocid1.vaultsecret.oc1..xxxxx'
);
-- Use l_secret_value for API authentication
-- Never log or display the secret value
END;Retrieving Secrets in Application Code
# Python example using OCI SDK
import oci
import base64
secrets_client = oci.secrets.SecretsClient(config)
secret_bundle = secrets_client.get_secret_bundle(secret_id="ocid1.vaultsecret...")
secret_content = base64.b64decode(
secret_bundle.data.secret_bundle_content.content
).decode('utf-8')Secret Rotation
Create new secret versions on a schedule. Update applications to use the latest version. After a grace period confirming all applications have switched, expire the old version. OCI Vault supports automatic rotation rules that trigger OCI Functions to generate new credentials and update the secret, enabling fully automated rotation for database passwords and API keys.
Access Control
Use OCI IAM policies to control who can read secrets. Separate read access (for applications) from management access (for administrators). Apply the principle of least privilege: each application should only have access to the secrets it needs. All secret access is logged in OCI Audit, providing a complete trail of which principals accessed which secrets and when.