Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: An authorization policy defines permissions that are exposed by a microservice. When a call is made to the microservice, it includes an access token. An application identifier uniquely identifying the calling application is extracted from the token. An access pattern, used by the calling application to obtain the access token and make the call to the microservice, is identified. Permissions that may be granted to the calling application are identified in the authorization policy based upon the application identifier and the access pattern that is identified. An authorization decision is made as to whether to authorize the call, based upon the granted permissions.

Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

Abstract: Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.

Abstract: A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

Abstract: A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

Abstract: A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

Abstract: Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.

Abstract: Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

Abstract: An authorization policy defines permissions that are exposed by a microservice. When a call is made to the microservice, it includes an access token. An application identifier uniquely identifying the calling application is extracted from the token. An access pattern, used by the calling application to obtain the access token and make the call to the microservice, is identified. Permissions that may be granted to the calling application are identified in the authorization policy based upon the application identifier and the access pattern that is identified. An authorization decision is made as to whether to authorize the call, based upon the granted permissions.

Abstract: A computing system controls access between components. A token issuer issues an access token to a requesting component, that is requesting access to a requested service component, based at least in part on an access policy. The requesting component sends the token to the requested service component, which includes a token authentication module that validates the access token and authorizes the requesting component to access a requested service component, and receives the authorization to access the requested service component.

Abstract: A computing system controls access between components. A token issuer issues an access token to a requesting component, that is requesting access to a requested service component, based at least in part on an access policy. The requesting component sends the token to the requested service component, which includes a token authentication module that validates the access token and authorizes the requesting component to access a requested service component, and receives the authorization to access the requested service component.