How to migrate from JWT to IAM authentication for private containers
Scaleway Serverless Functions and Containers used to rely on legacy JWT authentication tokens to access private resources.
This feature is now deprecated, you must therefore use Scaleway IAM to access your private functions and containers using an API key. This change allows for a better Scaleway ecosystem integration. Read the documentation on advanced access control with IAM conditions for more information.
-
Set up IAM authentication by creating an IAM application and an API key associated with it, then grant the application the
FunctionsPrivateAccessorContainersPrivateAccesspermission via an IAM policy. -
Delete the existing JWT for your Serverless Functions / Containers to revoke legacy authentication.
-
Pass the secret key of your IAM application's API key via the
X-Auth-Tokenheader to call your private resource:
curl -H "X-Auth-Token: <YOUR_SECRET_KEY>" <YOUR_ENDPOINT>Granularity changes with IAM tokens
The JWT system allows you to create tokens for specific Serverless Namespaces and Serverless Functions and Containers. IAM tokens are scoped by projects, meaning the level of granularity will change.
To preserve the level of granularity when required, it is recommended to separate your resources within different projects.
Motivations of changes
When Scaleway Serverless Functions and Containers was first developed, IAM was not yet available as a service. To provide secure access to private Functions and Containers, we implemented JWT authentication as the primary authentication mechanism.
However, with the introduction and maturation of IAM, Scaleway now has a more robust and integrated authentication system. Migrating from JWT to IAM offers several advantages:
- Better ecosystem integration: IAM is deeply integrated with all Scaleway services, providing consistent authentication and authorization patterns across the platform
- Enhanced security features: IAM benefits from ongoing security improvements and follows best practices for authentication
- Rapid evolution: IAM is actively developed and will receive frequent updates and new features, ensuring your authentication system stays current
- Unified management: Using IAM for authentication centralizes access control management across all Scaleway resources
As IAM continues to evolve rapidly, it will offer capabilities that improve what the legacy JWT system could provide, making it the preferred authentication method for Serverless Functions and Containers.