The recommended, credential-free way for an application that will run on an OCI Compute instance to call OCI services is to enable Instance Principals.

1. The instance is placed in a Dynamic Group that represents the application.

2. IAM policies are written for that Dynamic Group granting only the required permissions.

3. At run time the SDK/CLI obtains a temporary security token from the Instance Metadata Service and signs API requests.

Because no long-lived user credentials are stored or shared and access is limited by policy, this method meets the requirement to “securely grant … access to specific OCI resources.”

A. OAuth 2.0 is not an authentication mechanism for OCI service APIs; OCI uses API-signature keys or resource/instance principals.

B. A tenancy-wide “allow full access” policy violates least-privilege, exposing all resources rather than the specific ones required.

D. Sharing administrator credentials is insecure, breaks key-rotation practices, and gives the application unrestricted access far beyond the requested scope.

1. Oracle Cloud Infrastructure Docs – Identity & Access Management, “Calling Services from an Instance” (Instance Principals), Section: Overview; Steps 1–4. URL: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

2. Oracle Cloud Infrastructure Docs – Identity & Access Management, “Dynamic Groups,” Section: Concepts.

3. Oracle Cloud Infrastructure Docs – Security Best Practices, “Use least privilege and avoid sharing user credentials,” pp. 3–4 (June 2023).