What must be established to allow an OCI compute instance to make API calls without credentials in a config file?

To allow an OCI compute instance to make API calls without requiring credentials in a config file, it is essential to create a dynamic group for the instance.

A dynamic group is a collection of OCI resources that can be defined based on specific criteria, such as the tags or compartments in which the resources exist. By creating a dynamic group, you can assign policies to the group that grant the instances the necessary permissions to interact with OCI services securely and without needing to use static credentials. This approach enhances security by minimizing the exposure of sensitive information while still permitting the instance to perform actions required for its operation.

In tandem with the dynamic group, an instance principal must also be established. This allows the instance to authenticate using the identity of the dynamic group, thereby facilitating API calls seamlessly.

Other options focus on different functionalities that do not directly address the requirement for making API calls without credentials in a config file. For example, assigning a public IP is more about connectivity rather than authentication and authorization. Similarly, setting the instance as a user or using VM instances as users does not pertain to the mechanism that allows for credential-free API calls. The dynamic group is specifically designed to support the scenario described in the question by ensuring appropriate access is granted.