Command-Line Interface (CLI)
The OCI Policy Analysis application provides a flexible command-line interface (CLI) for analyzing OCI policies, dynamic groups, users, and compartments. The CLI supports live OCI loading, compliance output ingestion, advanced filtering, and JSON export. It is an essential tool for both ad-hoc policy investigation and automated workflows.
CLI Usage
Invoke the CLI with:
python -m oci_policy_analysis.cli [OPTIONS]
or directly (if installed as a script):
oci-policy-analysis [OPTIONS]
CLI Options
Option |
Description |
|---|---|
|
Enable verbose logging |
|
Log output to |
|
Use instance principal authentication |
|
List available caches for the given tenancy |
|
Print all policies and dynamic groups |
|
Recursively load across all compartments |
|
Load data from a specified combined cache file |
|
Do not save a new combined cache after loading from OCI |
|
OCI CLI profile to use (default: |
|
A JSON filter expression for policy statements |
|
Load policy data from a directory of OCI CIS compliance output CSVs |
|
Export all collected data to the specified JSON file |
|
Show usage and options |
Usage Examples
1. Displaying CLI Help
Show full help including all options:
python -m oci_policy_analysis.cli --help
Or, if installed as an application:
oci-policy-analysis --help
2. Loading a Tenancy into a Local Cache
To load all OCI policies and identity resources for a tenancy and save to a new cache (using a named profile):
python -m oci_policy_analysis.cli --profile MY_PROFILE --recursive
This will connect to OCI, recursively load all compartments, users, groups, and policies, and generate a “combined cache” file for offline or repeated analysis.
By default, the cache is saved after load (unless
--dont-save-cache-after-loadis provided).Use
--instance-principalto run under an OCI Compute Instance with instance principal auth.
3. Loading a Tenancy and Filtering Policy Statements
You can load a tenancy (from live or cache) and filter policy statements using a JSON expression:
python -m oci_policy_analysis.cli --profile MY_PROFILE --recursive --filter-json '{"Subject": "groupA", "Verb": "read"}'
This command fetches all statements for group “groupA” with verb “read,” displaying results on the console.
For advanced usage, combine with
--use-cacheto operate on a cached dataset:python -m oci_policy_analysis.cli --use-cache 2024-11-17T10-43-08+00-00 --filter-json '{"Subject": "groupA", "Resource": "instance"}'
4. Loading a Tenancy from CIS Compliance Output
To ingest OCI policy state from baseline compliance CSV output (as created for CIS benchmark reporting):
python -m oci_policy_analysis.cli --load-from-compliance /path/to/compliance_csv_output/
This will parse all provided CSV files (in the directory), reconstructing users, groups, dynamic groups, and policies for analysis and reporting.
Generating a Cache for Secure MCP Server Use
The CLI can be used to generate a combined policy analysis cache file (.json), capturing the full set of users, groups, dynamic groups, compartments, and policies in your tenancy. This cache is portable and can be used for offline analysis or transferred to another environment.
A powerful workflow is to use the CLI to generate and update the cache, then deploy this cache—as input for the Model Context Protocol (MCP) server—on an OCI Compute Instance or within a managed, load-balanced environment. In this model, the CLI acts as an extract-and-publish step, with the MCP server providing fast API access to policy data, supporting scalable automation or federated review by multiple consumers.
For deployment and security considerations on running load-balanced MCP servers on OCI, see: Secure Deployment on OCI — Outline Steps