openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Rutkowski" <mrutk...@us.ibm.com>
Subject Re: Passing security credentials to actions
Date Thu, 19 Jan 2017 17:16:58 GMT
Again, I would like to point to the wskdeploy tool (project) in OpenWhisk. 
 Conceptually, we have a Manifest File and Deployment file which, along 
with the tool can be used to (at API invocation time)  pass deploy-time 
info. to the tool to perform OBO functions.  We could also add the ability 
to provide metadata that the tool could eventually use (e.g., API keys) to 
encrypt the data on a per-transactional basis.  However, this 
(transactional crypto.) data would be assumed to be generated specific to 
the client/user/customer/device by the target Cloud platform and have 
one-time, time windowed viability to protect the other data/credentials.

Kind regards,
Matt 



From:   Dragos Dascalita Haut <ddascal@adobe.com>
To:     "dev@openwhisk.apache.org" <dev@openwhisk.apache.org>
Date:   01/19/2017 11:02 AM
Subject:        Passing security credentials to actions



I'd like to create an action that communicates with another API. The 
action needs a client_id, a secret and/or a keyfile, and/or a private key 
pair. This is a typical scenario to authenticate a service call; there's 
an example at [1] describing what needs to be done for such a scenario.


Assumptions :

1. we can't store credentials with the code in Git

2. if the action becomes part of a sequence we might not want the other 
actions in that sequence to have access to these credentials. we might 
want to restrict the credentials to be visible only to the action that 
needs them.


There are 2 questions here:

1. How can developers associate such metadata (in the lack of a better 
term) to the action.

2. How can the action retrieve this metadata.


I'm wondering if there are any thoughts on this already documented or if 
it's a problem we're yet to solve.


Thanks,
dragos
[1] - 
https://developers.google.com/identity/protocols/OAuth2ServiceAccount





Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message