Tip
You can create an API key and store it with secrets to grant your functions access to the Scaleway API.
How to secure a function
Reviewed on 27 February 2025 • Published on 01 February 2023
This page explains how to secure your function.
Before you startLink to this anchor
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- A functions namespace
- A function
- Created an authentication token for your function
Use secrets to store access keys and sensitive informationLink to this anchor
Instead of using environment variables (which are stored in clear text) for your functions, use secrets. These are pieces of information that can be used via environment variables, but are encrypted in storage.
Configure secrets from the Scaleway consoleLink to this anchor
- Click Functions in the Serverless section of the side menu. The functions page displays.
- Click the relevant function namespace.
- Click the name of the function for which you want to define secrets.
- Click the Settings tab.
- Scroll to the Secrets section of the page and click Add secret. Enter the key and value for your secret. Repeat for additional secrets.
Important
Be careful when you type your secrets. You will not be able to read the value in the console once submitted.
- Click Save settings to submit your secrets and redeploy your function.
Configure secrets using the Serverless frameworkLink to this anchor
Add secret to your function’s description (more information in the plugin documentation).
We recommend using them with global environment variables or a .env file stored independently (and kept secret).
Important
We strongly suggest that you do not commit this in a Version Control System (VCS), and do not share your Project ID or access key. This helps to ensure the security of your configuration file, which may contain sensitive data.
Configure secrets using Terraform/OpenTofuLink to this anchor
Add the following resource description in Terraform/OpenTofu:
Restrict access to your functionsLink to this anchor
You can set Serverless Functions as private if you want to protect your functions from unwanted or unauthorized calls.
Unauthenticated calls will be rejected, and your function will not be triggered. This feature is handy if an event triggers your function (CRON, Queues or NATS trigger) or if you put them behind an API gateway or a proxy server (see examples in serverless-examples).
Restrict access from the Scaleway consoleLink to this anchor
- Click Functions in the Serverless section of the side menu. The functions page displays.
- Click the relevant function namespace.
- Click the name of the function for which you want to define secrets.
- Click the Security tab.
- Set the Privacy Policy of the function to Private.
- If required, create an access token for your function.
Restrict access using the Serverless frameworkLink to this anchor
Set privacy: private in your functions description file.
Your function is now private, and requires an X-Auth-Token header to be called:
Refer to the How to create an authentication token documentation for more information.
Restrict access using Terraform/OpenTofuLink to this anchor
Set privacy = "private" in your Terraform/OpenTofu resource description.
You can generate access credentials to inject in other applications (containers, functions etc.) directly from Terraform/OpenTofu using the function_token resource.
Set up alerts in Observability Cockpit (upcoming feature)Link to this anchor
Using Scaleway Observability Cockpit, a managed Grafana solution to which all your functions are connected, you can:
- Monitor your functions using the default dashboard or create custom ones.
- Set up notifications to be alerted in case of unexpected behavior.
Was this page helpful?