Search barSidebar navigationMain contentFooter
HomeComputeContainersAPI/CLI
Restricting access to a container
Jump toUpdate content

Restricting access to a container

Reviewed on 27 December 2021Published on 06 October 2021

Making your container private allows you to restrict access to it which prevents unauthorized launch of the container. Contrary to private functions where the authorization process is built-in, it needs to be configured inside the container.

Important:

Be careful when you schedule automatic launching of private containers, as CRON jobs are not yet able to start private containers.

Requirements:

Generating a JWT token

Privacy can be ensured via JSON Web Tokens. A JWT Token can be retrieved from the API-endpoint GET /issue-jwt. Depending on the parameters, a JWT token can be valid for either a container or a namespace:

  • /issue-jwt?namespace_id=1: issues a JWT valid for all containers inside namespace with ID 1.
  • /issue-jwt?container_id=1: issues a JWT valid only for container with ID 1.
Tip:

You may optionally provide an expiration date (formatted yyyy-mm-ddT00:00:00Z) for the token. For example: /issue-jwt?expires_at=2022-01-02T00:00:00Z&namespace_id=1 will generate a token, valid for all containers inside namespace with ID 1, and this token will be valid until January 2nd 2022.

The token will have the following claims:

{
 "application_claim": [
   {
     "namespace_id": "string",
     "application_id": "string" // optional: id of the container
   }
 ]
}
Important:
  • Tokens are not stored by Scaleway and can not be retrieved if lost. However, new tokens can be generated.
  • Token revocation is not yet supported. The best way to reset tokens is to destroy and recreate the namespaces and all of their containers.

Using curl

Use the following command to issue a JWT token for your namespace from the command line using cURL: 

curl --location --request GET 'https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?namespace_id={your_namespace_id}&expires_at=2022-06-22T00%3A00%3A00Z' --header 'X-Auth-Token: {your_scaleway_API_key'}

Using an API tester (Talend API tester)

The following steps are designed for Talend API tester.

  1. Specify the GET method.
  2. Enter the API URL.
    • For namespaces:
      https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?namespace_id={your_namespace_id}&expires_at={expiration_date}
    • For Containers:
      https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?container_id={your_container_id}&expires_at={expiration_date}
  3. Add a X-Auth-Token header with your Scaleway API key as value.
  4. Send the request.
  5. Copy the returned token.

Validating tokens inside your container

The Scaleway API will set the following environment variables, which you can use in your application to validate incoming requests. The token is provided by our APIs:

  • SCW_PUBLIC: true or false based on your privacy settings
  • SCW_PUBLIC_KEY: PEM-encoded public Key used to decrypt tokens
  • SCW_NAMESPACE_ID: Current namespace ID
  • SCW_APPLICATION_ID: Current Container ID

As described above, tokens generated from the Scaleway API will contain either namespace ID or application ID in its claims, so you may verify its validity (after decrypting the JWT with the inject SCW_PUBLIC_KEY).

See Also
Uploading with the Serverless.com framework