Cloud IAM permissions for MFA-only local user API access?
Summary
Enforcing MFA on console and API users?Content
I'm trying to lay foundations in our Oracle cloud. I've figured out a set of groups which give people the right access levels in the right compartments, etc. I've added where request.user.mfaTotpVerified='true'
to policy statements to enforce the use of MFA. This all works fine in the web console.
I'm struggling with API users though. It's somewhat expected that API Key connections would not be considered 'TotpVerified', but the same seems to be true for Access Token users too.
Ultimately, I'm looking to:
1) Enforce MFA for all local users. Since there's no workflow way to do this, I'm hoping to let them log in without MFA, but then not be able to actually do anything in the cloud until they've enabled and used MFA (this is an approach we've used successfully in AWS, for example)