Jump toUpdate content

How to secure a container

Reviewed on 01 February 2023Published on 01 February 2023

This page explains how to secure your container.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

Use Secrets to store access keys and sensitive information

Instead of using environment variables (which are stored in clear text) for your containers, use Secrets. These are pieces of information that can be used via environment variables, but are encrypted in storage.

Configure Secrets from the Scaleway Console

  1. Click Containers in the Serverless section of the side menu. The containers page displays.
  2. Click the relevant container namespace.
  3. Click the name of the container for which you want to define Secrets.
  4. Click the Deployment tab.
  5. Scroll to the Secrets section of the page and click Add secret. Enter the key and value for your Secret. Repeat for additonal secrets.
    Important:

    Be careful when you type your Secrets. You will not be able to read the value in the console once submitted.

  6. Click Deploy container to submit your Secrets and redeploy your container.

Configure Secrets using the Serverless framework

Add secret to your containers description (more information in the plugin documentation). We recommend using them with global environment variables or a .env file stored independently (and kept secret).

secret:
secret_1: ${env:SCW_SECRET_KEY}
Important:

We strongly suggest that you do not commit this in a Version Control System (VCS), and do not share your Project ID or access key. This helps to ensure the security of your configuration file, which may contain sensitive data.

Configure Secrets using Terraform

Add the following resource description in Terraform:

secret_environment_variables = { "key" = "secret" }

Restrict access to your containers

You can set Serverless containers as private if you want, to protect them from unwanted or unauthorized calls. Unauthenticated calls will be rejected, and your container will not be triggered. This feature is handy if an event triggers your container (CRON, and soon SQS or NATS trigger) or if you put them behind an API gateway or a proxy server (see examples in serverless-examples).

Restrict access from the Scaleway Console

  1. Click Containers in the Serverless section of the side menu. The containers page displays.
  2. Click the relevant container namespace.
  3. Click the name of the container for which you want to define Secrets.
  4. Click the Security tab.
  5. Set the Privacy Policy of the container to Private.
  6. If required, create an access token for your container:
    • Click Generate token in the Tokens section of the page. A pop-up displays.
    • Enter a description and set an optional expiration date. To generate a permanently-valid token tick No expiration date. Then click Generate token.
    • The token is displayed. Copy and store the token in a secure environment.
      Important:

      The token key will be shown only once. Copy and safely store it before leaving this page.

Restrict access using the Serverless framework

Set privacy: private in your container’s description.

You can generate access tokens for your container using the Scaleway console:

  1. Click Containers in the Serverless section of the side menu. The containers page displays.
  2. Click the relevant container namespace.
  3. Click the name of the container for which you want to define Secrets.
  4. Click the Security tab.
  5. Click Generate token in the Tokens section of the page. A pop-up displays.
  6. Enter a description and set an optional expiration date. To generate a permanently-valid token, tick No expiration date. Then click Generate token. The token is displayed. Copy and store the token in a secure environment.
    Important:

    The token key will be shown only once. Copy and safely store it before leaving this page.

Restrict access using Terraform

Set privacy = "private" in your Terraform resource description.

You can generate access credentials to inject in other applications (containers, functions, …) directly from Terraform using the container_token resource

Set up alerts in Observability Cockpit (upcoming feature)

Using Scaleway Observability Cockpit, a managed Grafana solution to which all your containers are connected, you can:

  • Monitor your containers using the default dashboard or create custom ones.
  • Set up notifications to be alerted in case of unexpected behavior.
See Also