OCI provider run fails with error message: Error: can not create client, bad configuration

Problem

Terraform run fails on Oracle Cloud Infrastructure (OCI) Provider with error message suggesting issue with private key configuration

Error: can not create client, bad configuration: did not find a proper configuration for private key
with provider ["registry.terraform.io/hashicorp/oci"], on oci.tf line 1, in provider "oc!":
1: provider "oci" {

Prerequisites

The OCI provider on Terraform CLI, Cloud, or Enterprise leverages a private key for authentication.

Cause

Some of the reason for this error can exhibit are: 

• The configuration does not include a private_key  or private_key_path

• The API key fingerprint does not match private key fingerprint.

• A private_key_password is missing or incorrect for an encrypted private.

• GitHub issue due to key format, ensure to follow oracle's guide on generating API key pair.

• The private_key_path specified is invalid. If you are experiencing issues with a relative path, try using an absolute path instead.

Validation and Solution

1. Verify API Key Configuration

• Review oracle's guide on API Key authentication on required fields and ensure your configuration matches example. You will need private_key  or private_key_path

2. Validate Private Key Fingerprint

• Ensure private key fingerprint matches API key fingerprint on Oracle cloud dashboard.

$ openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c

3. Validate Private Key Password

• Ensure to includeprivate_key_passwordif your private key is encrypted with passphrase.
• When using environment variables, checks if the private key file is valid and matches the provided passphrase using the following command:

$ openssl rsa -in "$TF_VAR_oci_private_key_path" -check -passin pass:"$TF_VAR_oci_private_key_password"

• A correctprivate_key_passwordshould return the decrypted key
• An incorrect passphrase will return error similar to:

Could not find private key from ~/.oci/oci_api_key.pem
408800FE01000000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:
408800FE01000000:error:04800065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:472:

4. Handling Special Characters in Key Value

• While programmatically or manually passing key value, there can be issue parsing special characters.
• In this situation, key can be encoded to avoid issue. This uses example of base64 encoding and passing it to a variable.

export TF_VAR_oci_private_key_base64=$(base64 -i ~/.oci/oci_api_key.pem)

• Then decode base64 encoded value with base64decode in your OCI provider configuration,

private_key = base64decode(var.oci_private_key_base64)

Additional Information: 

• base64decode Function

• OCI Provider configuration example
• OpenSSL Documentation