OCI provider run fails with error message: Error: can not create client, bad configuration

Avatar
Uday Pudasaini
  • Updated

Problem

A Terraform run using the Oracle Cloud Infrastructure (OCI) provider fails with an error message indicating a problem with the private key configuration.

Error: can not create client, bad configuration: did not find a proper configuration for private key

with provider["registry.terraform.io/hashicorp/oci"], on oci.tf line 1, in provider "oci":
1: provider "oci" {

Prerequisites

The OCI provider for Terraform (used with the CLI, HCP Terraform, or Terraform Enterprise) requires a private key for authentication.

Cause

This error can occur for several reasons:

  • The provider configuration does not include a private_key or private_key_path argument.
  • The API key fingerprint in your OCI account does not match the fingerprint of the private key you are using.
  • A private_key_password is missing or incorrect for an encrypted private key.
  • The private key is in an unsupported format. Refer to Oracle's guide on generating an API key pair for more details. See also this related GitHub issue.
  • The private_key_path specified is invalid. If you are experiencing issues with a relative path, try using an absolute path instead.

Solutions

Here are several solutions to validate your configuration and resolve the error.

Solution 1: Verify API Key Configuration

Ensure your provider configuration includes all required fields for API Key authentication. You must provide either the private_key (the key content itself) or private_key_path (the path to the key file).

Solution 2: Validate the Private Key Fingerprint

Confirm that the private key fingerprint matches the API key fingerprint displayed in your Oracle Cloud dashboard.

You can generate the fingerprint from your private key file with the following command.

$ openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c

Solution 3: Provide the Private Key Password

If your private key is encrypted with a passphrase, you must include the private_key_password argument in your provider configuration.

To check if the private key file is valid and matches the provided passphrase, use the following command, substituting the environment variables with your values.

$ openssl rsa -in "$TF_VAR_oci_private_key_path" -check -passin pass:"$TF_VAR_oci_private_key_password"

A correct password will return the decrypted key. An incorrect password will return an error similar to the following.

Could not find private key from ~/.oci/oci_api_key.pem
408800FE01000000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:
408800FE01000000:error:04800065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:472:

Solution 4: Handle Special Characters with Encoding

When passing the private key content directly, special characters can sometimes cause parsing issues. To avoid this, you can base64 encode the key and decode it within your Terraform configuration.

  1. Encode the key and export it as an environment variable.

    $ export TF_VAR_oci_private_key_base64=$(base64 -i ~/.oci/oci_api_key.pem)

  2. In your OCI provider configuration, use the base64decode function to decode the value.

    variable "oci_private_key_base64" {}

provider "oci" {
  # ... other configuration
  private_key = base64decode(var.oci_private_key_base64)
}

Additional Information

Articles in this section

See more

Related articles