Return-Path: <dev-return-156-archive-asf-public=cust-asf.ponee.io@openwhisk.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 600F5200C01
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 19 Jan 2017 19:44:53 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 5E8EB160B54; Thu, 19 Jan 2017 18:44:53 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A8904160B3A
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 19 Jan 2017 19:44:52 +0100 (CET)
Received: (qmail 65926 invoked by uid 500); 19 Jan 2017 18:44:52 -0000
Mailing-List: contact dev-help@openwhisk.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@openwhisk.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@openwhisk.apache.org>
List-Post: <mailto:dev@openwhisk.apache.org>
List-Id: <dev.openwhisk.apache.org>
Reply-To: dev@openwhisk.apache.org
Delivered-To: mailing list dev@openwhisk.apache.org
Received: (qmail 65913 invoked by uid 99); 19 Jan 2017 18:44:51 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2017 18:44:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 2D53F188877
	for <dev@openwhisk.apache.org>; Thu, 19 Jan 2017 18:44:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.302
X-Spam-Level: 
X-Spam-Status: No, score=-0.302 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id c5GpE-YGcw2S for <dev@openwhisk.apache.org>;
	Thu, 19 Jan 2017 18:44:47 +0000 (UTC)
Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A773A5F576
	for <dev@openwhisk.apache.org>; Thu, 19 Jan 2017 18:44:46 +0000 (UTC)
Received: by mail-io0-f169.google.com with SMTP id v96so44824191ioi.0
        for <dev@openwhisk.apache.org>; Thu, 19 Jan 2017 10:44:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:content-transfer-encoding:mime-version:date:subject:message-id
         :references:in-reply-to:to;
        bh=gmNJYQljAwpVlQFSME/EbK0hmBl6SCU9nPLMBcUt7uw=;
        b=rjWwYJ6lTU0MrhRUnrzBGs5MyHairS1r70Bo2W72eeAIHVbymIxXUPRLl0ZCpLVJ3K
         bZyb1bGkudcTe8eGqA3cJC8CKET2zy41YRMjPv7r4SYVrDTGxy+cJWAB88stHUd1KDz1
         rWm1Rb1iGRJ6S+KHdnoR9lzZNOQAYpg+VNEQDjcYL8y1drin3qErhvr9DBu8ZcxuDZgy
         Mov9/csQB5leHLlsejlCYSPTjSgUONSd5YJgvOuhGpFPJP7wyQMb2Cyr2RsMyHZR6RT7
         xhc/jao8A9X8guLI7U5aLn8T4CUazPnCRHEFzPzamQQxUQ1EibzZwJOCDXemsU0SqwMC
         +vyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:content-transfer-encoding:mime-version:date
         :subject:message-id:references:in-reply-to:to;
        bh=gmNJYQljAwpVlQFSME/EbK0hmBl6SCU9nPLMBcUt7uw=;
        b=JotXzrrAXx8aEAuq53nfQ2qy6Y4DUXuuHiMsFus1C+fA5AiizlW3c5Ym8HJatJ43JH
         GgaW1Vg1sh4O65vrVcdM6r7P3LFIglWGyRo/lbaNsoiAhiX/gzy3VXkKopSjfh+3ql8S
         MMVYWFU3ihQwTENKktHg5UC/XLHcaD/ivihqVNlF+z72Ph9X+NiLzI34B9MZ78taGog6
         xVvpBR4UB1dO49qDtV2uX9+UX9CAneEGBBYgTksLgewRWy4YFbPpzMKtE51YQb9O/Luq
         q8/6Y+dH9aK6abkrmEWJoGFlj4I1mYeGE16G7mdy6tpAdKIhd/Q4VIXrdL+jViF0Wv7A
         nvKg==
X-Gm-Message-State: AIkVDXLEjoTxDx0KbjNKFLIKc0dJwK4tvtbTC6fs7ROwuymZ5q1DqmsW81kTTxvDpLWBIQ==
X-Received: by 10.107.40.142 with SMTP id o136mr9624261ioo.1.1484851478151;
        Thu, 19 Jan 2017 10:44:38 -0800 (PST)
Received: from ?IPv6:2600:1017:b819:b31:75dd:3f47:3a86:f9b2? ([2600:1017:b819:b31:75dd:3f47:3a86:f9b2])
        by smtp.gmail.com with ESMTPSA id k80sm3165855ioi.28.2017.01.19.10.44.37
        for <dev@openwhisk.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 19 Jan 2017 10:44:37 -0800 (PST)
From: Rodric Rabbah <rodric@gmail.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Thu, 19 Jan 2017 13:44:36 -0500
Subject: Re: Passing security credentials to actions
Message-Id: <83C613A9-17BB-4AE3-84FB-7D7A5A4AF536@gmail.com>
References: <BY2PR0201MB1784B9015B4DD123E9F82006A47E0@BY2PR0201MB1784.namprd02.prod.outlook.com>
In-Reply-To: <BY2PR0201MB1784B9015B4DD123E9F82006A47E0@BY2PR0201MB1784.namprd02.prod.outlook.com>
To: dev@openwhisk.apache.org
X-Mailer: iPhone Mail (14B150)
archived-at: Thu, 19 Jan 2017 18:44:53 -0000

Dragos as you noted when you create the action (or bind a package containing=
 the action) you can specify the parameters for the action.

Then when the action is composed into the sequence it already has the parame=
ters attached. Those parameters are not visible to other actions in the sequ=
ence (they do not escape the action without one doing it deliberately i.e. r=
eturning a json object containing the secrets from the action).

If you're surfacing the sequence via the API gateway then you've hidden the p=
arameters (I am taking it at face value that final actions have parameters t=
hat may not be overridden at invoke time).

Does this fit your use case?

-r

> On Jan 19, 2017, at 12:02 PM, Dragos Dascalita Haut <ddascal@adobe.com> wr=
ote:
>=20
> I'd like to create an action that communicates with another API. The actio=
n needs a client_id, a secret and/or a keyfile, and/or a private key pair. T=
his is a typical scenario to authenticate a service call; there's an example=
 at [1] describing what needs to be done for such a scenario.
>=20
>=20
> Assumptions :
>=20
> 1. we can't store credentials with the code in Git
>=20
> 2. if the action becomes part of a sequence we might not want the other ac=
tions in that sequence to have access to these credentials. we might want to=
 restrict the credentials to be visible only to the action that needs them.
>=20
>=20
> There are 2 questions here:
>=20
> 1. How can developers associate such metadata (in the lack of a better ter=
m) to the action.
>=20
> 2. How can the action retrieve this metadata.
>=20
>=20
> I'm wondering if there are any thoughts on this already documented or if i=
t's a problem we're yet to solve.
>=20
>=20
> Thanks,
> dragos
> [1] - https://developers.google.com/identity/protocols/OAuth2ServiceAccoun=
t