Serverless Function Access to OCI Object Storage Without Static Authentication Files

Serverless Function Access to OCI Object Storage

Prev Question Next Question

Question

You are developing a Serverless function for your company's IoT project.

This function should access Oracle Cloud Infrastructure (OCI) Object Storage to store some files.

You choose Oracle Functions to deploy this function on OCI.

However, your security team doesn't allow you to carry any API Token or RSA Key to authenticate the function against the OCI API to access the Object Storage.

What should you do to get this function to access OCI Object Storage without carrying any static authentication files? (Choose the best answer.)

Answers

A. Set up a Dynamic Group using the format below: Create a policy using the format below to give access to OCI Object Storage: Include a call to a "˜resource principal provider` in your function code as below:

B. Add these two policy statements for your compartment and then include a call to a "˜resource principal provider` in your function code:

C. There is no way that you can access the OCI resources from a running function.

D. Add these two policy statements for your compartment to give your function automatic access to all other OCI resources:

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The correct answer to this question is A. Set up a Dynamic Group using the format below: Create a policy using the format below to give access to OCI Object Storage: Include a call to a "resource principal provider" in your function code as below.

Oracle Functions is a serverless platform provided by Oracle Cloud Infrastructure (OCI) that enables developers to build and deploy functions quickly and easily. To access OCI Object Storage from a serverless function deployed on Oracle Functions, you need to authenticate the function against the OCI API. However, in this case, the security team does not allow carrying any API Token or RSA Key to authenticate the function.

To solve this issue, you can use the Resource Principal concept in OCI, which is a mechanism that enables services running on OCI to authenticate themselves against other OCI services using the security credentials of the service's OCI tenancy or compartment. The Resource Principal authentication is automatic and does not require the use of any API tokens or RSA keys.

To allow the serverless function to authenticate itself using Resource Principal authentication, you need to follow the steps below:

Set up a Dynamic Group using the following format:
- Description: Provide a description for the Dynamic Group.
- Matching Rules: Specify the matching rules that define which resources belong to the Dynamic Group. In this case, you can use a rule that matches the OCI compartment where your function is deployed.
Create a policy using the following format to give access to OCI Object Storage:
- Policy Statement: Specify the policy statement that grants the required permissions. In this case, you need to allow the Dynamic Group created in step 1 to access OCI Object Storage.
- Permissions: Specify the permissions that the policy statement grants. In this case, you need to grant the "objectstorage-namespaces:*" permission to the Dynamic Group.
Include a call to a "resource principal provider" in your function code as follows:
- OCI SDK: Use the OCI SDK for the programming language you are using to develop the function.
- Resource Principal: Use the "resource principal provider" functionality of the OCI SDK to authenticate the function against OCI Object Storage.

By following these steps, your serverless function can authenticate itself against OCI Object Storage using Resource Principal authentication, without the need to carry any static authentication files.

Prev Question Next Question