Securing Serverless Functions: An Overview of Identity Management

serverless functions workload identity non-human identity serverless security function identity
Lalit Choda
Lalit Choda
 
June 26, 2025 11 min read

Introduction to Serverless Function Identities

Serverless functions are revolutionizing application development, but how do you ensure they're secure? The key lies in understanding and effectively managing their identities.

Serverless functions, unlike traditional applications, often operate without a fixed, long-lived identity. This introduces unique challenges for authentication and authorization.

  • Stateless Execution: Serverless functions are stateless, meaning each invocation is independent and doesn't inherently retain information from previous executions. As such, traditional session-based identity management is often not applicable.
  • Event-Driven Architecture: These functions are triggered by events, which can originate from diverse sources such as HTTP requests, database changes, or message queues. Each trigger event needs to be authenticated and authorized.
  • Microservice Design: Serverless functions are often part of a broader microservice architecture, requiring secure communication and access control between different services.
  • Non-Human Identities (NHIs): Serverless functions often need to interact with other services, which requires having a non-human identity (NHI). An NHI can be a service account, an access key, or a certificate.

Serverless function identities are critical for granting permissions to access resources, ensuring that only authorized functions can interact with sensitive data or other services.

  • Resource Access: Functions often need to read from or write to databases, access storage buckets, or invoke other APIs. Identity management ensures that each function has the correct permissions, preventing unauthorized access. For instance, a function processing healthcare records should only have access to the specific patient data it requires.
  • Service-to-Service Authentication: In a retail application, a function handling order processing might need to communicate with a payment gateway. Function identities facilitate secure authentication between these services.
  • Security Best Practices: Without proper identity management, serverless applications are vulnerable to security breaches, potentially leading to data leaks or unauthorized actions.
graph LR A[User Request] --> B{API Gateway} B --> C[Serverless Function] C --> D{Database} D --> C C --> B B --> A 
style A fill:#f9f,stroke:#333,stroke-width:2px
style D fill:#ccf,stroke:#333,stroke-width:2px

As serverless architectures become more prevalent, robust identity management strategies are essential. In the next section, we'll delve into the concept of Non-Human Identities (NHIs) and their significance in the serverless world.

Understanding Non-Human Identities (NHIs)

Did you know that non-human identities (NHIs) are the silent workhorses behind many serverless function operations? They enable your serverless functions to securely interact with other services and resources without human intervention.

NHIs are digital identities assigned to applications, services, or devices, rather than individual users. Think of them as the credentials that allow your serverless functions to "prove" who they are when accessing resources.

  • Service Accounts: These are special accounts created within a cloud provider's IAM (Identity and Access Management) system. They provide a function with a specific set of permissions. For example, an AWS Lambda function might use a service account to access an S3 bucket.
  • Access Keys: These are cryptographic keys that grant access to specific resources. While convenient, they need to be managed carefully to avoid security risks. Imagine a scenario where a function in a financial application uses access keys to interact with a payment processing service.
  • Certificates: These are digital documents that verify the identity of a function. They are commonly used for secure communication between services. For instance, a function in a healthcare application might use certificates to encrypt data transmitted to a patient record system.

NHIs play a crucial role in securing serverless functions by ensuring that only authorized functions can access sensitive resources.

  • Least Privilege: NHIs allow you to grant functions only the minimum necessary permissions. This principle helps to limit the potential damage from compromised functions. A function processing customer orders in a retail application should only have access to order-related data, not customer payment information.
  • Automation: NHIs enable functions to operate autonomously without requiring human intervention for authentication. This is critical for event-driven architectures where functions are triggered automatically by various events.
  • Auditing: NHIs provide a clear audit trail of function activity, making it easier to track down security breaches or misconfigurations.

Consider an image processing function in a media company's serverless application. It needs to access storage buckets to retrieve images, use a third-party API to perform image analysis, and update a database with the results. By assigning a unique NHI to this function, the company can ensure that it only has access to the necessary resources and that all its actions are properly logged.

sequenceDiagram participant SF as Serverless Function participant S3 as S3 Bucket participant API as Image Analysis API participant DB as Database 
SF->>S3: Request Image (with NHI)
S3->>SF: Image Data
SF->>API: Analyze Image (with NHI)
API->>SF: Analysis Results
SF->>DB: Update Database (with NHI)
DB->>SF: Confirmation

As you can see, NHIs are essential for managing identities in serverless functions. Next, we'll explore how to implement serverless function identities in AWS Lambda.

Implementing Serverless Function Identities in AWS Lambda

Ready to bring your serverless functions to life in AWS Lambda? Implementing identities might seem complex, but AWS provides robust mechanisms to streamline the process.

AWS Identity and Access Management (IAM) roles are central to managing serverless function identities. These roles grant your Lambda functions permissions to access other AWS resources, such as S3 buckets, DynamoDB tables, or other services. The principle of least privilege is paramount: grant only the permissions a function needs to perform its task.

  • Creating IAM Roles: You can create IAM roles directly through the AWS Management Console, AWS CLI, or Infrastructure as Code (IaC) tools like AWS CloudFormation or the Serverless Framework.
  • Attaching Roles to Lambda Functions: Once created, you associate the IAM role with your Lambda function. This is done during the function's creation or update process. When the function executes, it assumes the permissions defined in the IAM role.

Let's say you have a Lambda function that needs to read objects from an S3 bucket.

  1. Create an IAM role with a policy that allows s3:GetObject action on the specific bucket.
  2. Attach this role to your Lambda function.
  3. Now, your function can securely access the S3 bucket without needing to embed credentials directly in the code.

The Serverless Framework streamlines the process of defining and deploying serverless applications. You can define IAM roles and permissions directly in the serverless.yml file, making it easier to manage your function's identity as part of your infrastructure code.

According to the Serverless Framework documentation, the serverless.yml file allows you to specify IAM roles and permissions, simplifying identity management.

functions:
  myFunc:
    handler: handler.main
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - "s3:GetObject"
        Resource: "arn:aws:s3:::your-bucket/*"

If you're using the Node.js 20 runtime in AWS Lambda, be aware of changes to Root CA certificate loading. Lambda no longer loads additional CA certificates by default, which can impact functions accessing other AWS services. You may need to bundle specific certificates with your deployment package and load them via the NODE_EXTRA_CA_CERTS environment variable.

Implementing serverless function identities in AWS Lambda is a critical step in securing your applications. By using IAM roles and Infrastructure as Code, you can manage permissions, enforce the principle of least privilege, and ensure your functions operate securely.

Next, we'll explore how to achieve similar identity management in Azure Functions.

Implementing Serverless Function Identities in Azure Functions

Is identity management in Azure Functions giving you a headache? Let's explore how to implement serverless function identities in Azure Functions, which can significantly improve your security posture.

Azure Functions offers Managed Identities, a feature that provides an automatically managed identity for your functions to authenticate to Azure services. This eliminates the need to store credentials in your code or configuration files, greatly enhancing security.

  • System-Assigned Identity: Enabled directly on the function app, this identity is tied to the lifecycle of the function app and is automatically removed when the function app is deleted.
  • User-Assigned Identity: Created as a standalone Azure resource, this identity can be assigned to multiple Azure resources, including function apps. This is useful when you need to manage identities centrally across several services.

Enabling Managed Identities for your Azure Functions is straightforward.

  1. Enable the Identity: In the Azure portal, navigate to your Function App, select "Identity" under "Settings," and switch the "Status" to "On" for either System-assigned or User-assigned identity.
  2. Grant Permissions: Once enabled, grant the function app the necessary permissions to access other Azure resources, such as Azure Key Vault, Azure Storage, or Azure Cosmos DB. You can do this through Azure Role-Based Access Control (RBAC).
  3. Access Resources: In your function code, use the Azure SDKs to access resources using the function app's managed identity. The SDKs automatically handle authentication using the managed identity.

Consider a scenario where an Azure Function needs to read secrets from Azure Key Vault. You would:

  1. Enable a managed identity (either system-assigned or user-assigned) on the Azure Function.
  2. Grant the managed identity "Key Vault Secret User" role on the Key Vault.
  3. Use the Azure.Identity and Azure.Security.KeyVault.Secrets NuGet packages in your function code to retrieve the secrets.
// C# code to access Key Vault using Managed Identity
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://your-key-vault-url.vault.azure.net/"), credential);
KeyVaultSecret secret = await client.GetSecretAsync("YourSecretName");
string secretValue = secret.Value;
  • Enhanced Security: No need to manage or rotate credentials manually.
  • Simplified Management: Centralized identity management through Azure RBAC.
  • Improved Compliance: Aligns with security best practices and compliance requirements.

By implementing Managed Identities, you can significantly improve the security and manageability of your serverless applications in Azure Functions.

Next, let's explore best practices for managing serverless function identities to ensure robust security.

Best Practices for Managing Serverless Function Identities

Is your serverless function identity strategy a well-oiled machine, or a ticking time bomb? Effectively managing these identities is crucial for maintaining a secure and efficient serverless environment.

It's easy to over-grant permissions. Always adhere to the principle of least privilege, granting functions only the minimum necessary access.

  • For example, a serverless function in a ride-sharing application responsible for sending SMS notifications should only have permissions to access the SMS service API. It shouldn't have access to user location data or payment information.
  • Regularly audit and review permissions to identify and remove any unnecessary access rights. Implement automated tools to detect and alert on overly permissive roles.

Minimize the risk of compromised credentials by implementing a robust rotation policy.

  • Automate the rotation of access keys and certificates used by your serverless functions. Aim for a rotation frequency that aligns with your organization's security policies and risk tolerance.
  • In a banking application, access keys used to access transaction databases should be rotated every 30-60 days. This limits the window of opportunity for attackers if a key is compromised.

Where possible, use managed identities provided by your cloud provider instead of manually managing credentials.

  • As discussed earlier, Azure Functions offers Managed Identities, which automatically handle authentication to Azure services.
  • AWS IAM roles, as previously mentioned, are also a powerful way to manage permissions without embedding credentials in your code.

Gain visibility into how your serverless function identities are being used.

  • Implement logging and monitoring to track all access attempts made by your functions. Analyze these logs to identify suspicious activity or potential security breaches.
  • In a healthcare application, monitor access to patient records by serverless functions. An unusual pattern, such as a function accessing a large number of records outside of its normal operating hours, could indicate a security incident.

Manage your serverless infrastructure, including function identities, using IaC tools.

  • As previously stated, the Serverless Framework allows you to define IAM roles and permissions directly in your serverless.yml file.
  • This approach ensures that your identity configurations are version-controlled, auditable, and easily reproducible.
sequenceDiagram participant DEV as Developer participant IAC as Infrastructure as Code participant CI as CI/CD Pipeline participant Cloud as Cloud Provider 
DEV->>IAC: Define Identity & Permissions
IAC->>CI: Commit Changes
CI->>Cloud: Deploy Infrastructure
Cloud->>Cloud: Provision Resources with Identities

By following these best practices, you can significantly strengthen the security of your serverless applications and mitigate the risks associated with identity management.

Now that we've covered best practices, let's explore the tools and technologies available for serverless identity management.

Tools and Technologies for Serverless Identity Management

Ready to supercharge your serverless identity management? A variety of tools and technologies can help you streamline and secure your serverless functions.

IAM solutions are the bedrock of serverless identity management. They provide the framework for creating, managing, and enforcing identities and permissions.

  • Cloud Provider IAM: AWS IAM and Azure Active Directory (Azure AD) are fundamental for managing identities within their respective cloud environments. As previously discussed, these services allow you to define roles and policies, granting functions precise permissions to access resources.
  • HashiCorp Vault: This tool centralizes secrets management and provides secure access to sensitive data. For instance, a function in a financial application could use Vault to retrieve database credentials, ensuring that secrets are never hardcoded.

IaC tools automate the provisioning and management of infrastructure, including identity configurations. This ensures consistency and reduces the risk of human error.

  • As noted earlier, the Serverless Framework enables you to define IAM roles and permissions directly in your serverless.yml file.
  • Terraform: This tool allows you to define and provision infrastructure across multiple cloud providers. Imagine a scenario where a media company uses Terraform to manage identities for serverless functions across both AWS and Azure.

These tools provide visibility into how serverless function identities are being used, enabling you to detect and respond to security incidents.

  • AWS CloudTrail: This service logs API calls made to your AWS resources, providing a clear audit trail of function activity.
  • Azure Monitor: This tool collects and analyzes telemetry data from your Azure resources, helping you identify potential security breaches or misconfigurations.

These tools securely store and manage sensitive information, such as API keys and database passwords, preventing them from being exposed in your code.

  • AWS Secrets Manager: This service allows you to rotate, manage, and retrieve secrets throughout their lifecycle.
  • Azure Key Vault: As previously mentioned, Azure Key Vault provides a secure way to store and manage secrets, certificates, and keys.

As serverless technology evolves, identity management solutions will become more sophisticated. In the next section, we'll explore the future of serverless function identities.

Lalit Choda
Lalit Choda
 

NHI Evangelist : with 25+ years of experience, Lalit Choda is a pioneering figure in Non-Human Identity (NHI) Risk Management and the Founder & CEO of NHI Mgmt Group. His expertise in identity security, risk mitigation, and strategic consulting has helped global financial institutions to build resilient and scalable systems.

Related Articles

Kubernetes Workload Identity

Kubernetes Workload Identity Simplified

Learn about Kubernetes Workload Identity, its benefits, types, and real-life applications. Get insights into managing machine identities effectively.

By Lalit Choda June 12, 2025 3 min read
Read full article
OAuth 2.0

Secure Your Machines with OAuth 2.0 and OpenID Connect

Discover how OAuth 2.0 and OpenID Connect enable secure machine identities. Learn the steps, comparisons, and real-life applications for smooth integration.

By Lalit Choda June 6, 2025 3 min read
Read full article
HSM

The Essentials of Hardware Security Modules and TPM

Learn about Hardware Security Modules (HSM) and Trusted Platform Module (TPM). Discover their roles in security, types, and real-world applications in machine identity.

By Lalit Choda May 31, 2025 3 min read
Read full article
Zero Trust

Mastering the Zero Trust Security Model

Dive into the Zero Trust Security Model, a crucial framework that challenges traditional security methods. Learn the steps, types, and real-world examples.

By Lalit Choda May 19, 2025 2 min read
Read full article