The primary benefit of using instance principals is to automate the authentication process for applications running on OCI compute instances, eliminating the need for manual credential management. The instance automatically obtains temporary, short-lived security tokens from the IAM service. Auth Tokens are long-lived credentials generated for a specific IAM user, not an instance, and are used for authenticating with services like OCI Registry. Therefore, generating Auth Tokens is not part of the instance principal setup process; the authentication is handled transparently by the OCI SDK.

A. Deploying an application with a supported OCI SDK is essential. The SDK contains the logic to interact with the instance metadata endpoint to request security tokens and sign API calls.

B. Creating a dynamic group is a mandatory first step. It defines which instances are included as principals based on matching rules, allowing policies to be applied to them collectively.

C. A policy is required to grant the dynamic group (and thus the instances within it) specific permissions to access other OCI resources. Without a policy, the instances have no authority.

1. Oracle Cloud Infrastructure Documentation, "Calling Services from an Instance": This document outlines the setup process. It states, "You must: 1. Create a dynamic group... 2. Create a policy... 3. Your code, running on the instances, makes calls to OCI services... The SDK handles the rest." It explicitly notes that you do not need to configure user credentials on the instance. (Doc ID: OCI IAM Documentation -> Identity and Access Management -> Secure IAM -> Calling Services from an Instance).

2. Oracle Cloud Infrastructure Documentation, "Managing Dynamic Groups": This document details the necessity of creating dynamic groups to group instances that need to make API calls. It states, "You can group Oracle Cloud Infrastructure compute instances as 'principal' actors... You can then create policies to permit instances in the group to make API calls against Oracle Cloud Infrastructure services." (Doc ID: OCI IAM Documentation -> Identity and Access Management -> Dynamic Groups -> Managing Dynamic Groups).

3. Oracle Cloud Infrastructure Documentation, "Managing Auth Tokens": This source clarifies the purpose of Auth Tokens, stating, "Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs that do not support the Oracle Cloud Infrastructure's signature-based authentication... An auth token is specific to a user." This confirms Auth Tokens are user-centric and not part of the instance principal mechanism. (Doc ID: OCI IAM Documentation -> Identity and Access Management -> Users -> Managing Auth Tokens).