On-demand network code execution with cross-account aliases

US 10,277,708 B2
Filed: 06/30/2016
Issued: 04/30/2019
Est. Priority Date: 06/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system to enable cross-account execution of tasks on an on-demand code execution environment, the system comprising:

a non-transitory data store configured to store tasks, wherein individual tasks are owned by accounts of the on-demand code execution environment and are associated with user-submitted source code executable to implement functionality corresponding to the individual tasks; and

one or more processors configured with computer-executable instructions to;

receive a request from a user computing device associated with a first account to enable execution of a task owned by a second account, wherein the request comprises one or more parameters for the on-demand code execution environment to pass to the user-submitted source code associated with the task in response to a user of the first account requesting execution of the task, and wherein the one or more parameters include authentication information for a network resource of the first account to be passed to the user-submitted source code associated with the task;

generate an alias corresponding to the first account, wherein the alias references the task owned by the second account, and wherein a call to the alias causes the on-demand code execution environment to pass the one or more parameters to an execution of the user-submitted source code without requiring that the one or more parameters be included within the call to the alias;

return, to the user computing device associated with the first account, access information enabling the user computing device to call the alias corresponding to the first account in order to execute the task owned by the second account, including causing the on-demand code execution environment to pass the one or more parameters to the execution of the user-submitted source code associated with the task;

receive the call to the alias corresponding to the first account;

select a virtual machine instance within the on-demand code execution environment on which to execute the user-submitted source code corresponding to the task owned by the second account, wherein the virtual machine instance is dedicated to at least one of execution of tasks of the first account or execution of tasks of the second account; and

execute within the virtual machine instance the user-submitted source code corresponding to the task owned by the second account on behalf of the first account, wherein execution of the code comprises passing, by the on-demand code execution environment and to the user-submitted source code, the one or more parameters including the authentication information for the network resource of the first account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for managing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. However, to ensure security, the code of different users is generally maintained separately, and executed on separate virtual machines. Embodiments described herein enable users of a first account to execute code of a second account, without gaining access to the code itself and while maintaining the privacy and security of each account. Specifically, aliases for a task of a first account can be created on a task of a second account, and used to invoke that task on behalf of the first account. Aliases may also allow users to customize how the task is executed.

434 Citations

20 Claims

1. A system to enable cross-account execution of tasks on an on-demand code execution environment, the system comprising:
- a non-transitory data store configured to store tasks, wherein individual tasks are owned by accounts of the on-demand code execution environment and are associated with user-submitted source code executable to implement functionality corresponding to the individual tasks; and
  
  one or more processors configured with computer-executable instructions to;
  
  receive a request from a user computing device associated with a first account to enable execution of a task owned by a second account, wherein the request comprises one or more parameters for the on-demand code execution environment to pass to the user-submitted source code associated with the task in response to a user of the first account requesting execution of the task, and wherein the one or more parameters include authentication information for a network resource of the first account to be passed to the user-submitted source code associated with the task;
  
  generate an alias corresponding to the first account, wherein the alias references the task owned by the second account, and wherein a call to the alias causes the on-demand code execution environment to pass the one or more parameters to an execution of the user-submitted source code without requiring that the one or more parameters be included within the call to the alias;
  
  return, to the user computing device associated with the first account, access information enabling the user computing device to call the alias corresponding to the first account in order to execute the task owned by the second account, including causing the on-demand code execution environment to pass the one or more parameters to the execution of the user-submitted source code associated with the task;
  
  receive the call to the alias corresponding to the first account;
  
  select a virtual machine instance within the on-demand code execution environment on which to execute the user-submitted source code corresponding to the task owned by the second account, wherein the virtual machine instance is dedicated to at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  execute within the virtual machine instance the user-submitted source code corresponding to the task owned by the second account on behalf of the first account, wherein execution of the code comprises passing, by the on-demand code execution environment and to the user-submitted source code, the one or more parameters including the authentication information for the network resource of the first account.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the one or more processors are further configured with the computer-executable instructions to obtain permissions associated with the task established by a user of the second account, and to verify that the first account complies with the permissions.
  - 3. The system of claim 2, wherein the permissions indicate at least one of individual accounts permitted to generate aliases to the task or types of accounts that are permitted to generate aliases to the task.
  - 4. The system of claim 1, wherein the request further comprises permissions under which the task should be executed, and wherein the one or more processors are further configured with the computer-executable instructions to modify permissions of the virtual machine instance according to the permissions of the request.
  - 5. The system of claim 1, wherein the request further comprises at least one of a modification of the execution environment to be used within the virtual machine instance or a modification of the resources to be provided to the virtual machine instance when executing the user-submitted source code.

6. A computer-implemented method to enable cross-account execution of tasks on an on-demand code execution environment, the computer-implemented method comprising:
- receiving, from a user computing device associated with a first account on the on-demand code execution environment, information defining a task on the on-demand code execution environment, the information comprising computer-executable source code that, when executed by a virtual machine instance within the on-demand code execution environment, implement functionality corresponding to the task;
  
  receiving a request from a user computing device associated with a second account to enable execution of the task on behalf of the second account, wherein the request comprises one or more parameters for the on-demand code execution environment to pass to the computer-executable source code associated with the task in response to a user of the first account requesting execution of the task;
  
  generating an alias corresponding to the second account, wherein the alias references the task owned by the first account, and wherein a call to the alias causes the on-demand code execution environment to pass the one or more parameters to an execution of the user-submitted source code without requiring that the one or more parameters be included within the call to the alias;
  
  returning, to the user computing device associated with the second account, access information enabling the user computing device to call the alias corresponding to the second account in order to cause the on-demand code execution system to execute the computer-executable source code associated with the task owned by the first account and to pass to the execution of the computer-executable source code the one or more parameters;
  
  receiving a call to the alias corresponding to the second account;
  
  selecting a virtual machine instance within the on-demand code execution environment on which to execute the computer-executable source code corresponding to the task, wherein the virtual machine instance is associated with at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  executing within the virtual machine instance the computer-executable source code corresponding to the task on behalf of the second account, wherein execution of the computer-executable source code comprises passing, by the on-demand code execution environment and to the computer-executable source code, the one or more parameters.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The computer-implemented method of claim 6, wherein the request further comprises permissions under which the task should be executed.
  - 8. The computer-implemented method of claim 7 further comprising modifying permissions of the virtual machine instance according to the permissions of the request prior to execution of the computer-executable source code.
  - 9. The computer-implemented method of claim 7 further comprising receiving, from the user computing device, authentication information associated with a network resource of the second account, wherein executing within the virtual machine instance the computer-executable source code corresponding to the task on behalf of the second account comprising passing the authentication information to the virtual machine.
  - 10. The computer-implemented method of claim 6, wherein the request further comprises selection criteria to be applied when selecting the virtual machine instance, and wherein selecting the virtual machine instance includes selecting the virtual machine instance according to the selection criteria.
  - 11. The computer-implemented method of claim 6 further comprising monitoring a computing resource usage of the virtual machine instance during execution of the computer-executable source code, and attributing the computing resource usage to the second account.
  - 12. The computer-implemented method of claim 6 further comprising;
    - receiving, from the user computing device associated with the first account, information modifying the task;
      
      applying the information to the task to result in a modified task; and
      
      verifying that the alias complies with the modified task.
  - 13. The computer-implemented method of claim 6 further comprising obtaining, from the user computing device associated with the first account, permissions associated with the task, and verifying that generation of the alias complies with the permissions.
  - 14. The computer-implemented method of claim 6 further comprising obtaining, from the user computing device associated with the first account, permissions associated with the task, and verifying that executing the computer-executable source code corresponding to the task on behalf of the second account complies with the permissions.
  - 15. The computer-implemented method of claim 14, wherein the permissions specify a license that must be associated with the second account prior to execution of the computer-executable source on behalf of the second account.

16. Non-transitory computer-readable storage media including computer-executable instructions that, when executed by a computing system, cause the computing system to:
- receive, from a user computing device associated with a first account on an on-demand code execution environment, information defining a task on the on-demand code execution environment, the information comprising computer-executable source code that, when executed by a virtual machine instance within the on-demand code execution environment, implement functionality corresponding to the task;
  
  receive a request from a user computing device associated with a second account to enable execution of the task on behalf of the second account, wherein the request comprises one or more parameters for the on-demand code execution environment to pass to the computer-executable source code associated with the task in response to a user of the second account requesting execution of the task;
  
  generate an alias corresponding to the second account, wherein the alias references the task owned by the first account, and wherein a call to the alias causes the on-demand code execution environment to pass the one or more parameters to an execution of the user-submitted source code without requiring that the one or more parameters be included within the call to the alias;
  
  receiving a call to the alias corresponding to the second account;
  
  select a virtual machine instance within the on-demand code execution environment on which to execute the computer-executable source code corresponding to the task, wherein the virtual machine instance is associated with at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  execute within the virtual machine instance the computer-executable source code corresponding to the task on behalf of the second account, wherein execution of the computer-executable source code comprises passing, by the on-demand code execution environment and to the computer-executable source code, the one or more parameters.
- View Dependent Claims (17, 18, 20)
- - 17. The non-transitory storage media of claim 16, further comprising attributing computing resources associated with execution of the computer-executable source code to at least one of the first account or the second account.
  - 18. The non-transitory storage media of claim 16, wherein the request further comprises one or more customizations to be made when executing the task on behalf of the first account, and wherein the computer-executable instructions further cause the computing system to execute the computer-executable source code at least in part by applying the one or more customizations.
  - 20. The non-transitory storage media of claim 16, wherein the computer-executable instructions further cause the computing system to obtain, from the user computing device associated with the first account, permissions associated with the task, and to verify that generation of the alias complies with the permissions.

19. The non-transitory storage media of 16, wherein the computer-executable instructions further cause the computing system to monitor a computing resource usage of the virtual machine instance during execution of the computer-executable source code, and attributing the computing resource usage to the second account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Wagner, Timothy Allen, Brooker, Marc John, Nair, Ajay, Manwaring, Derek Steven
Primary Examiner(s)
Kim, Dong U

Application Number

US15/199,490
Publication Number

US 20180004572A1
Time in Patent Office

1,034 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/468   Specific access rights for ...

H04L 67/1004   Server selection for load b...

H04L 67/303   Terminal profiles

On-demand network code execution with cross-account aliases

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

434 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

On-demand network code execution with cross-account aliases

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

434 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others