OCI Functions are powerful components in a cloud native world. Triggered by events and direct requests, these functions are engaged to perform a specific task. Which could be almost anything (as long as it does not take too long). And it can certainly be some task that requires access to external systems and services. Access that in turn requires credentials, tokens, keys and other sensitive information. This article is an enhancement request regarding such sensitive information.
Sensitive information should not be hard coded into the function (duh!). And neither should it be provided through function parameters that anyone with access to the function definition can see. Sensitive values are managed in OCI Vault – as secrets. Those highly privileged persons or systems that know about these secrets can define them in the Vault. And no one else should know them. Only applications that require values stored in secrets should have permission to read them from the vault – when needed.
My enhancement request: allow function (application) parameters to be defined with a reference to an OCI Vault Secret. Say a Function needs a password to make a call at runtime to an external database. This password is stored in a secret. The function has a parameter of type secret-reference and is defined with the OCID of a secret in an OCI Vault. When the function is instantiated, the OCI Functions runtime retrieves the value of the secret and makes it available to the function – along with the other parameters that were defined in the traditional way (static value). This requires the Function to have privileges to read secrets from this particular vault.
It is conceivable that values retrieved from secrets stay cached in the OCI Functions runtime for a number of minutes – as to not overload the vault with requests – although I do not know if the vault is easily stressed out. There should be a guarantee that changes in the value of secret will trickle down into new function executions after a maximum period of time.
The figure visualizes what I would like to be able to do.
OCI Documentation on Function Parameters – https://docs.oracle.com/en-us/iaas/Content/Functions/Tasks/functionspassingconfigparams.htm – it describes password as an example of a parameter and seems to suggest that the password is defined as a plain text string value in the parameter. Anyone with some sense of security principles should frown.