This function decrypts a cipher text using a Vault key. As a best practice, we do not recommend to expose your secrets via a return value of a function. This sample just demonstrate to use Vault keys in a function.
As you make your way through this tutorial, look out for this icon 
.
Whenever you see it, it's time for you to perform an action.
Before you deploy this sample function, make sure you have run step A, B and C of the Oracle Functions Quick Start Guide for Cloud Shell
- A - Set up your tenancy
- B - Create application
- C - Set up your Cloud Shell dev environment
Assuming your have successfully completed the prerequisites, you should see your application in the list of applications.
fn ls apps
In order to use other OCI Services, your function must be part of a dynamic group. For information on how to create a dynamic group, refer to the documentation.
When specifying the Matching Rules, we suggest matching all functions in a compartment with:
ALL {resource.type = 'fnfunc', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaxxxxx'}
Please check the Accessing Other Oracle Cloud Infrastructure Resources from Running Functions for other Matching Rules options.
Create a new policy that allows the dynamic group to manage compute instances. We will grant use access to keys in the compartment.
Your policy should look something like this:
Allow dynamic-group <dynamic-group-name> to use keys in compartment <compartment-name>
For more information on how to create policies, check the documentation.
Review the following files in the current folder:
- the code of the function, func.py
- its dependencies, requirements.txt
- the function metadata, func.yaml
In Cloud Shell, run the fn deploy command to build the function and its dependencies as a Docker image, push the image to OCIR, and deploy the function to Oracle Functions in your application.
fn -v deploy --app <app-name>
On the OCI console, navigate to Security > Key Management. If you don't already have a Vault created, create one. Create a key by clicking on Create Key. Provide a name for the key and click Create Key.
In your vault, note the Cryptographic Endpoint and your key OCID.
Set the KEY_OCID and CRYPTOGRAPHIC_ENDPOINTT environement variables with the OCID of your Vault key and the Vault Endpoint. For example:
KEY_OCID='ocid1.key.oc1.phx.acdfdfna.abyxxxxxxxsqhycfq'
CRYPTOGRAPHIC_ENDPOINT='https://a5pdddfdfna-crypto.kms.us-phoenix-1.oraclecloud.com'
Set the PLAIN_TEXT environement variable with the text you will encrypt:
PLAIN_TEXT="my text"
Run the following command to get the encrypted version of your text:
oci kms crypto encrypt --key-id "$KEY_OCID" --endpoint "$CRYPTOGRAPHIC_ENDPOINT" \
--plaintext "$( echo $PLAIN_TEXT | base64 -b0 )" | jq -r .data.ciphertext
The above command is for MacOS. For Linux, replace base64 -b0 with base64 -w0.
The command returns a Cipher text, you will use it to invoke your function.
The function requires the following configuration values to be set:
- key_ocid
- cryptographic_endpoint
Use the fn CLI to set the config value:
fn config function <app-name> <function-name> key_ocid <Vault-key-OCID>
fn config function <app-name> <function-name> cryptographic_endpoint <Vault-Cryptographic-Endpoint>
e.g.
fn config function myapp oci-vault-decrypt-python key_ocid "ocid1.key.oc1.phx.a5pedhchaafna.abyhqljt63augu4nwptqrvaw7gymh7zp7ihvgayo72pehd3sqhfproiaycfq"
fn config function myapp oci-vault-decrypt-python cryptographic_endpoint 'https://a5pedhchaafna-crypto.kms.us-phoenix-1.oraclecloud.com'
The function requires the cipher to be specified in the payload to be invoked. "cipher-text" is encrypted text you generated in the section [Create the Vault key and a cipher text](#Create the Vault key and a cipher text)
echo '{"cipher": "<cipher-text>"}' | fn invoke <app-name> oci-vault-decrypt-python
e.g.:
echo '{"cipher": "Ia+hS8+UYAEV8gr00ItHxsC1jhfslbzAA="}' | fn invoke myapp oci-vault-decrypt-python
Upon success, the function should return the decrypted text: {"decryptedtext": "my text"}
Learn how to configure basic observability for your function using metrics, alarms and email alerts: