Contribution signatures for tagging
First Claim
1. A computer-implemented method, comprising:
- receiving, to a resource management service, a first request to provision a resource in a multi-tenant environment and on behalf of a customer, the first request including a first key-value pair to be applied to the resource on behalf of the customer, the first key-value pair and the first request both digitally signed using a customer cryptographic key;
determining an additional service to perform a task with respect to the first request;
generating, via the resource management service, a second request including a second key-value pair to be added to the resource on behalf of the resource management service, the second key-value pair and the second request both digitally signed using a resource management cryptographic key for the resource management service, the second request including the first request and the first key-value pair both digitally signed using the customer cryptographic key;
forwarding the second request to the additional service;
generating, by the additional service, a third request digitally signed using a service cryptographic key for the additional service, the third request including the second key-value pair and the second request, digitally signed using the resource management cryptographic key, and the first key-value pair and the first request, digitally signed using the customer cryptographic key;
causing the third request to be provided to a notation service of the multi-tenant environment;
determining, from the third request and by the notation service, the first key-value pair and the second key-value pair to be applied to the resource;
determining that the first key-value pair is digitally signed using the customer cryptographic key and the second key-value pair is digitally signed using the resource management cryptographic key;
validating respective digital signatures for the customer cryptographic key, the resource management cryptographic key, and the service cryptographic key contained in the third request to verify contents of the third request;
causing the notation service to apply the first key-value pair and the second key-value pair to the resource; and
provisioning the resource in the multi-tenant environment.
1 Assignment
0 Petitions
Accused Products
Abstract
A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving, to a resource management service, a first request to provision a resource in a multi-tenant environment and on behalf of a customer, the first request including a first key-value pair to be applied to the resource on behalf of the customer, the first key-value pair and the first request both digitally signed using a customer cryptographic key; determining an additional service to perform a task with respect to the first request; generating, via the resource management service, a second request including a second key-value pair to be added to the resource on behalf of the resource management service, the second key-value pair and the second request both digitally signed using a resource management cryptographic key for the resource management service, the second request including the first request and the first key-value pair both digitally signed using the customer cryptographic key; forwarding the second request to the additional service; generating, by the additional service, a third request digitally signed using a service cryptographic key for the additional service, the third request including the second key-value pair and the second request, digitally signed using the resource management cryptographic key, and the first key-value pair and the first request, digitally signed using the customer cryptographic key; causing the third request to be provided to a notation service of the multi-tenant environment; determining, from the third request and by the notation service, the first key-value pair and the second key-value pair to be applied to the resource; determining that the first key-value pair is digitally signed using the customer cryptographic key and the second key-value pair is digitally signed using the resource management cryptographic key; validating respective digital signatures for the customer cryptographic key, the resource management cryptographic key, and the service cryptographic key contained in the third request to verify contents of the third request; causing the notation service to apply the first key-value pair and the second key-value pair to the resource; and provisioning the resource in the multi-tenant environment. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving, from a first source to a receiving component of a computing resource environment, a first request to provision a resource, the first request comprising tagging metadata to be applied to the resource, the first request and the tagging metadata both digitally signed by the first source; generating a second request digitally signed by the receiving component, the second request including additional metadata and including the first request and the tagging metadata both signed by the first source; receiving the second request in a processing component of the computing resource environment; analyzing, the second request to determine that the second request is signed by the receiving component, the first request is signed by the first source, and the tagging metadata is signed by the first source; validating a first signature for the first request and a second signature for the second request to verify contents of the second request; processing the second request to cause, the tagging metadata to be applied to the resource; and
provisioning the resource. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive, from a first source to a receiving component of a computing resource environment, a first request to provision a resource, the first request comprising tagging metadata to be applied to the resource, the first request and the tagging metadata signed by the first source; generate a second request signed by the receiving component, the second request including additional metadata and including the first request and the tagging metadata both signed by the first source; receive the second request in a processing component of the computing resource environment;
analyze, the second request to determine that the second request is signed by the receiving component, the first request is signed by the first source, and the tagging metadata is signed by the first source;validate a first signature for the first request and a second signature for the second request to verify contents of the second request; process the second request to cause, the tagging metadata to be applied to the resource; and provision the resource. - View Dependent Claims (17, 18, 19, 20)
-
Specification