Search bar Sidebar navigation Main content Footer

Scaleway Documentation Compute Functions API/CLI

Restricting access to a function

Reviewed on 20 December 2021 • Published on 26 May 2021

This page shows you how to restrict access to your function by making it private. This prevents unauthorized launching of the function.

Requirements:

You have an account and are logged into the Scaleway Console
You have created a function
You have generated a Scaleway API key
You have either curl, Postman, Talend API tester or any tool to send HTTP requests

Generating a JWT token

Privacy can be ensured via JSON Web Tokens. A JWT Token can be retrieved from the API-endpoint GET /issue-jwt. Depending on the parameters, a JWT token can be valid for either a function or a namespace:

/issue-jwt?namespace_id=1: issues JWT valid for all functions inside namespace with ID 1.
/issue-jwt?function_id=1: issues JWT valid only for function with ID 1.

Tip:

You may optionally provide an expiration date (formatted yyyy-mm-ddT00:00:00Z) for the token. For example: /issue-jwt?expires_at=2022-01-02T00:00:00Z&namespace_id=1 will generate a token, valid for all functions inside namespace with ID 1, and this token will be valid until January 2nd 2022.

The token will have the following claims:

{
 "application_claim": [
   {
     "namespace_id": "string",
     "function_id": "string" // optional: id of function
   }
 ]
}

Important:

Tokens are not stored by Scaleway and can not be retrieved if lost. However, new tokens can be generated.
Token revocation is not yet supported. The best way to reset tokens is to destroy and recreate the namespaces and all of their functions.

Using curl

Use the following command to issue a JWT token for your namespace from the command line using cURL:

curl --location --request GET 'https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?namespace_id={your namespace id}&expires_at=2022-06-22T00%3A00%3A00Z' --header 'X-Auth-Token: {your scaleway API key'}

Using an API Tester (Talend API Tester)

The following steps are designed for Talend API tester.

Specify the GET method.

Enter the API URL.

For namespaces:

https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?namespace_id={your namespace id}&expires_at={expiration date}

For Functions:

https://api.scaleway.com/functions/v1beta1/regions/fr-par/issue-jwt?function_id={your function id}&expires_at={expiration date}

Add a X-Auth-Token header with your Scaleway API key as value.
Send the request.
Copy the response.

Using your token

A private function observes this behaviour:

If a call is made without the SCW_FUNCTIONS_TOKEN header, the call is rejected (status code 404)
If the SCW_FUNCTIONS_TOKEN header is provided, the token is validated using a public key attached to the namespace.

The environment variables SCW_PUBLIC, SCW_PUBLIC_KEY, SCW_NAMESPACE_ID, SCW_APPLICATION_ID are provided by our APIs to validate incoming tokens.

For example, to execute a private function by providing a JWT using curl, you may run the following command:

curl -H "SCW_FUNCTIONS_TOKEN: <generated-token>" <your-function-host>