I two tenancies in Oracle Cloud Infrastructure where Tenancy1 is login tenancy containing IAM configurations and Tenancy2 is my target tenancy. I configured cross tenancy auth (Endorse and Admit IAM policies) where I login to the login tenancy (Tenancy1) and use the override_tenancy url param to access the console of target tenancy (Tenancy2). I have achieved this cross tenancy for console but can we perform cross tenancy access via OCI CLI or Python SDK? I am planning to have a dynamic group of functions in my login tenancy which can access the resources in target tenancies.
Well, seems this is pretty straight forward. Any client (oci.core.VirtualNetworkClient for example in Python) should be created using the config (API Signing Key of the user in login tenancy) or signer. Use the client object methods to access the resources in target tenancy just by it's OCID. The option for override_tenancy doesn't exist for CLI or SDK and not required as well. If you have the right Endorse and Admit policies in place you should get the expected response.
Example:
import oci
vcn_client = oci.core.VirtualNetworkClient(config) # config here is the dictionary with API signing key of your user in login tenancy (https://docs.oracle.com/en-us/iaas/tools/python/2.89.0/configuration.html)
vcn_client.get_vcn('ocid1.vcn.oc1.xxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx') # OCID is the VCN's which exist in your target tenancy
PS: This doesn't work for IAM APIs or Operations as they don't support cross tenancy access even with right policies as per security mandate