openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodric Rabbah <rod...@gmail.com>
Subject Re: Passing security credentials to actions
Date Thu, 19 Jan 2017 18:44:36 GMT
Dragos as you noted when you create the action (or bind a package containing the action) you
can specify the parameters for the action.

Then when the action is composed into the sequence it already has the parameters attached.
Those parameters are not visible to other actions in the sequence (they do not escape the
action without one doing it deliberately i.e. returning a json object containing the secrets
from the action).

If you're surfacing the sequence via the API gateway then you've hidden the parameters (I
am taking it at face value that final actions have parameters that may not be overridden at
invoke time).

Does this fit your use case?

-r

> On Jan 19, 2017, at 12:02 PM, Dragos Dascalita Haut <ddascal@adobe.com> wrote:
> 
> I'd like to create an action that communicates with another API. The action needs a client_id,
a secret and/or a keyfile, and/or a private key pair. This is a typical scenario to authenticate
a service call; there's an example at [1] describing what needs to be done for such a scenario.
> 
> 
> Assumptions :
> 
> 1. we can't store credentials with the code in Git
> 
> 2. if the action becomes part of a sequence we might not want the other actions in that
sequence to have access to these credentials. we might want to restrict the credentials to
be visible only to the action that needs them.
> 
> 
> There are 2 questions here:
> 
> 1. How can developers associate such metadata (in the lack of a better term) to the action.
> 
> 2. How can the action retrieve this metadata.
> 
> 
> I'm wondering if there are any thoughts on this already documented or if it's a problem
we're yet to solve.
> 
> 
> Thanks,
> dragos
> [1] - https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Mime
View raw message