Connect to Oracle (Beta)
Oracle Integration Overview
Note: This topic covers a new capability that is currently in beta and will replace the existing topic in the future. If this functionality is not yet available in your account, contact Finout support at [email protected] to enable it.
Integrating Finout with Oracle Cloud Infrastructure (OCI) allows you to ingest, analyze, and optimize your Oracle cloud costs within Finout. Once connected, you can track OCI usage, monitor spending trends, allocate costs across teams and cost centers, and gain full visibility into your Oracle environment alongside your other cloud providers.
Finout supports two integration methods:
Console-Based Integration – Manual setup through the OCI Console.
CLI-Based Integration – Automated setup using the Oracle CLI, recommended for faster onboarding and repeatable configuration.
This guide walks you through both methods so you can choose the approach that best fits your organization’s security model and operational preferences.
Console-Based Integration
1. Create a New Group for Finout
Access permissions in Oracle are assigned to groups. Create a separate group for Finout to ensure access only to the necessary billing resources.
Go to the OCI navigation menu → Identity & Security → Domains → <Finout domain> → Groups (in the right-hand menu).
Note: If you choose to use a domain other than “Default” to set up the integration user make sure that both the user and group are contained in the same domain.
Click Create Group.
Fill in the Group Name and add some Description.
Click Create.
2. Add a Policy to a Group
Assign a policy to the group for accessing cost reports. In OCI, group permissions are managed through policies. By assigning a policy to the Finout group, you ensure that all its members can access only what the group policies allow.
Go to the OCI navigation menu → Identity & Security → Policies.
Click Create policy.
Choose a name for the policy that clearly indicates its purpose for accessing cost reports.
In the policy builder box at the bottom of the screen, activate the Show manual editor button and enter the following statements:
Note: Save your tenancy for step 5.
Statement 1:
Important: The following statement is not an example. You need to run this statement exactly as it is shown below.
define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggqThis specifies the tenancy for usage reports, which is in a bucket owned by Oracle.Statement 2:
endorse group <group name> to read objects in tenancy usage-reportReplace<group name>with the name of the group created for Finout. If you want your own groups/users to access the cost reports as well, add another policy with the relevant<group name>.Examples:
If you chose the “Default” domain:
endorse group default to read objects in tenancy usage-reportIf you chose a custom domain named “finoutdomain”:
endorse group finoutdomain/default to read objects in tenancy usage-report
Click Create.
3. Create a User for Finout
Go to the OCI navigation menu → Identity & Security → Domains → Users.
Click Create User.
Fill in the name and email of the Finout user.
Assign the user to the new Finout group you created in step 1 by selecting the appropriate box under the Groups section.
Note: This setup ensures that a Finout user will have access only to the specified policies, specifically the cost reports bucket. It's important to avoid selecting the administrator option and instead choose only the group dedicated to Finout for proper access control.
Click Create.
Note: You can Edit the user capabilities and limit to only API keys.
4. Generate an API Key
Generate an API key to enable Finout users to access the reporting bucket via the Oracle API key.
For detailed instructions, refer to the official Oracle documentation here.
Create an API key pair in the OCI console to enable API signing for the Finout user:
Ensure an administrator user is logged into Oracle, as only administrators can perform these steps.
Navigate to Identity & Security → Domains → <Finout user domain> → Users, and click the Finout user to access their profile.
Navigate to the Resources section in the bottom left screen and select API keys.
Make sure that the Paste a public key pair is chosen.
Click Download Private Key and save the key in a local directory.
A configuration is displayed. Click on the copy button below the text box and paste it into a local file editor (save for step 5).
Note: The Oracle documentation offers alternative methods for generating the key. Ensure that you have the complete configuration details as outlined in the following step.
5. Generate a Public Key from Finout
In Finout, navigate to Settings > Cost Centers and click Add cost center. The Connect Accounts window appears.
In Oracle Cloud, click Connect Now. The Select connection method appears.
Select Console. You are brought to the Connect to OCI step.
Copy the Public key and return to Oracle.
6. Obtain the Configuration File Information
Click Add API Key.
Paste the Public key obtained from Finout in the previous step.
A configuration is displayed. Click on the copy button below the text box and paste it into a local file editor (save for the next step).
Note: The Oracle documentation offers alternative methods for generating the key. Ensure that you have the complete configuration details as outlined in the following step.
7. Integrate Oracle with Finout
Back in Finout, fill in the relevant fields from the "Configuration file preview" text box that you copied in the previous step.
Note: Finout generates the key pair for you. Finout securely stores the private key, and you receive the public key, which you can copy and paste into the OCI Console.
Click Complete Integration. The cost center is created.
CLI-Based Integration
Note: The CLI script is currently supported on macOS and Linux only. If you are using Windows, please follow the Oracle Console setup instead.
1. Select Connection Method
In Finout, navigate to Settings > Cost Centers and click Add cost center. The Connect Accounts window appears.
In Oracle Cloud, click Connect Now. The Select connection method appears.
Click CLI. You are brought to the Set Up CLI Parameters.
2. Install and Authenticate the CLI
Install OCI command line as instructed in the Oracle official docs. Skip this step if you already have the OCI command line installed.
Authenticate. You have two options:
Follow the authentication guide in the Oracle official docs.
Authenticate using the browser by running
oci session authenticateNote: Before running the authentication command, ensure that any existing OCI configuration files are removed, as they may have been left over from a prior integration run.
This will open a browser window in which you will need to authenticate.
Once authentication is complete, you will have a file named
rm -rf ~/.oci/configcontaining all the necessary configuration, including a temporary authentication token.
Run a small test to see if you are authenticated:
oci --auth security_token iam availability-domain list
Choose the domain
Print domains
Ensure that it looks like:
Pick one and use it below as OCI_DOMAIN_NAME.
A key is generated:
The public key will be used as the value in FINOUT_PUB_KEY.
The private key will be saved when saving the credentials to the cost center to authenticate in the data pipelines.
Provide the input details as instructed previously, then run the script provided below.
Once the execution is complete, please review the results and extract the necessary details from the output, as shown in the example format:
Fill the form.
3. Set Up CLI Parameters
In Finout, review and adjust the CLI parameters below, then run the generated script.
Update the editable fields at the top of the script:
FINOUT_USERNAME - ask the user for the name of the user we will create for him.
Can only contain: A-Z, a-z, 0-9, hypen(`-`), period(`.`), underscore(`_`), plus sign (+) and at sign (@)
FINOUT_EMAIL - ask the user for the email for the user we will create for him
Make sure it’s a valid email
FINOUT_FIRST_NAME and FINOUT_LAST_NAME - same
GROUP - IAM group name they wish to create the use at:
Choose a group name, but it must consist of letters, numbers, dots, dashes, and underscores.
OCI_POLICY_NAME - Policy name they wish to create (this is the one that allows the group to read the OCI usage reports)
FINOUT_PUB_KEY-
Generate a pair of public/private keys, similar to those commands:
z - this creates a private key file
openssl rsa -pubout -in finout_user_private.pem -out finout_user_public.pem - this extracts the public key from the private key file.
Note: Group names may contain only letters, numbers, dots (.), dashes (-), and underscores (_).
Copy the generated script. Run this script in your terminal to set up the OCI integration.
Click Next.
4. Run the Script in the CLI
Copy and run the script below into a file called oci-setup.sh (this contains your own specific one-time public key in the script):
chmod +x oci-setup.sh ./oci-setup.sh
This option uses a single CLI script to automatically create all required OCI resources, reducing setup time and minimizing configuration errors.
What the script does:
Creates or reuses an IAM group
Creates or reuses a read-only IAM policy for cost and usage reports
Creates or reuses an IAM user in the selected identity domain
Adds the user to the group
Uploads the public API key provided by Finout
Outputs all required identifiers for Finout
Note: If resources already exist, they will be reused. If not, they will be created.
Copy the following values from the CLI script:
User ID
API Key Fingerprint
Tenancy
Region
5. Connect to OCI
Back in Finout, fill in the values from the CLI.
Click Complete Integration. The integration is completed.
Last updated
Was this helpful?