DigitalOcean Enhances Security with User-Specific Namespace Access Keys
As serverless workloads continue to grow and scale, the importance of managing security postures becomes paramount. At DigitalOcean, we are committed to supporting your growth at every stage, which is why we continuously iterate on our security architecture to provide the best possible solutions for our users.
Historically, DigitalOcean Functions utilized a shared credential model within a namespace that was configured in the settings tab of the function view. While this model was simple to start with, it posed challenges for growing teams. For instance, if a team member left or changed roles, the shared credentials remained valid, requiring admins to manually revoke and regenerate keys, causing disruptions in workflows for other developers and production workloads using the shared key.
Today, we are thrilled to announce a significant upgrade to our access model: user-specific namespace access keys. This update shifts access control from the namespace level to the individual identity level, ensuring that access is granted to specific users rather than through a shared key.
The transition to user-specific keys addresses several critical use cases for teams. Firstly, it enables automated access management by automatically revoking a team member’s specific access keys when they are removed from the DigitalOcean team, eliminating the need for manual key rotation. Additionally, users can now create multiple access keys for a namespace, facilitating easier manual rotation and management of environment-specific keys. This update also enhances streamlined accountability by associating actions with unique user-specific keys, providing better visibility and auditability into resource management. Moreover, access keys can now have optional expiration (TTL) to further limit the attack surface, with the access key failing to authenticate after the expiration time.
The DigitalOcean Functions API has been updated to support programmatic management of access keys, allowing users to create, list, update, and delete access keys directly via the API for better automation and security hygiene for serverless namespaces.
To interact with these new endpoints, users can follow a simple guide on how to utilize the new features. For example, to create a namespace access key, a POST request can be sent to the keys endpoint. The response includes the full key details and metadata such as creation and expiration dates. Similarly, users can list, update, and delete access keys using respective endpoints, with detailed response highlights provided for each action.
Managing these access keys can be done via the Cloud Control Panel or the command line tool doctl. Users must have the latest version of doctl installed and configured with the necessary permissions to create or manage namespace access keys.
The migration to user-specific access keys is currently in a dual support phase, allowing both legacy shared credentials and new user-specific keys to work side-by-side for a limited time. However, all users are required to eventually migrate to their personal access keys to ensure continued access. This transition does not require any code changes but is essential for maintaining access to DigitalOcean Functions.
The move to user-specific access keys signifies a significant advancement in the security and manageability of DigitalOcean Functions. By linking access to individual identities, we enable automated access revocation, improved auditability, and a more secure environment for serverless applications. We encourage all users to log in to the Cloud Panel, generate their new keys, and update existing workflows to benefit from these enhanced security features.
In conclusion, the implementation of user-specific namespace access keys underscores DigitalOcean’s commitment to providing a secure and reliable platform for developers to manage their serverless workloads effectively. By prioritizing security and user experience, we aim to empower our users to focus on building and scaling their applications with confidence.
For more Information, Refer to this article.
