Gaps in the Serverless Mesh: Deployment, Discovery, and Auth
1. Gaps in the Serverless Mesh:
Deployment, Discovery, and Auth
Ben Kehoe
Cloud Robotics Research Scientist at iRobot
AWS Serverless Hero
@ben11kehoe
2018-08-01
4. iRobot 2018 | 4@ben11kehoe
Deployment
• Red/black imposes requirements
on clients
• Blue/green is the direction
providers are headed
• Existing paradigm:
• Blue/green controller is part of your
component graph
• Update component graph in-place
• Controller manages roll-out
5. iRobot 2018 | 5@ben11kehoe
What does blue/green deployment look like for a
component graph? (i.e., a CloudFormation stack)
10. iRobot 2018 | 10@ben11kehoe
v1
Function
version
v2
Function
router
API
11. iRobot 2018 | 11@ben11kehoe
API
router
v1
Function
version
v2
Function
router
API
version
v1
v2
12. iRobot 2018 | 12@ben11kehoe
API
router
v1
Function
version
v2
API
version
v1
v2
Function/code versions must be first-class citizens in infrastructure
13. iRobot 2018 | 13@ben11kehoe
API
router
v1
Function
version
v2
API
version
v1
v2
Function
placeholder
Function
router
18. iRobot 2018 | 18@ben11kehoe
v1 v1
Function
Role
Policy
v2 v2
Continuity of
role may be
necessary
v1 allow
v1 deny
both allow
both deny
v2 allow
v2 deny
both allow
both deny
?
?
?
19. iRobot 2018 | 19@ben11kehoe
v1 v1
Function Role Policy
v1
v2 v2
v2
v1 allow
v1 deny
both allow
both deny
v2 allow
v2 deny
both allow
both deny
v1 allow
v2 allow
both allow
both deny
20. iRobot 2018 | 20@ben11kehoe
Source
Deployed
Tool
Blue
Blue
Green
Cyan Green
21. iRobot 2018 | 21@ben11kehoe
Authentication and Authorization
26. iRobot 2018 | 26@ben11kehoe
Policy
Resource
Problems:
• Push the problem
to AssumeRole
permissions
Role
27. iRobot 2018 | 27@ben11kehoe
What do I really want?
• Caller defines desired
permissions
• Service could provide standard
polices
• Checked against org rules
• Attached to caller
• Assuming x-acct and # policies
issues don’t matter
28. iRobot 2018 | 28@ben11kehoe
Auto-generated policies
• Deriving policies from code is not
a good idea
• Permissions should help stop
malicious code
• But you’d derive malicious
permissions from malicious code
• Need explicit declarations
• Then check against code for
mismatch (in either direction)
33. iRobot 2018 | 33@ben11kehoe
Parameter Store for discovery
• Each microservice has a space
in the parameter hierarchy
• Discoverable parameters are
tagged as public
• Public parameters are sync’d
across all accounts (via a central
account)
• Sync is organizational infrastructure
• Each microservice only needs to
look at the account-local
Parameter Store for discovery
34. iRobot 2018 | 34@ben11kehoe
Details on cross-account Parameter Store sync
• Set up as infrastructure; clients of
Parameter Store don’t need to
care where parameters are
coming from
• Each account:
• Pushes to a central account’s
Parameter Store
• Subscribes to SNS topic of central
store updates
• Periodically queries central store
Red-black entire system
Ok, since you never pay for idle
Scalable in number of services, but not cadence
Two entire systems: how do you switch clients over?