ON-DEMAND NETWORK CODE EXECUTION WITH CROSS-ACCOUNT ALIASES

US 20180004572A1
Filed: 06/30/2016
Published: 01/04/2018
Est. Priority Date: 06/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system to enable cross-account execution of tasks on an on-demand code execution environment, the system comprising:

a non-transitory data store configured to store tasks, wherein individual tasks are owned by accounts of the on-demand code execution environment and are associated with code executable to implement functionality corresponding to the individual tasks,one or more processors configured with computer-executable instructions to;

receive a request from a user computing device associated with a first account to enable execution of a task owned by a second account, wherein the request comprises one or more customizations to be made when executing the task on behalf of the first account, and wherein the one or more customizations include authentication information to be passed to a virtual machine executing code corresponding to the task for a network resource of the first account;

generate an alias corresponding to the first account, wherein the alias references the task owned by the second account and specifies the one or more customizations;

return, to the user computing device associated with the first account, access information enabling the user computing device to call the alias corresponding to the first account in order to execute the task owned by the second account as modified by the one or more customizations;

receive the call to the alias corresponding to the first account;

select a virtual machine instance within the on-demand code execution environment on which to execute code corresponding to the task owned by the second account, wherein the virtual machine instance is dedicated to at least one of execution of tasks of the first account or execution of tasks of the second account; and

execute within the virtual machine instance the code corresponding to the task owned by the second account on behalf of the first account, wherein execution of the code comprises passing to the virtual machine the authentication information for the network resource of the first account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for managing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. However, to ensure security, the code of different users is generally maintained separately, and executed on separate virtual machines. Embodiments described herein enable users of a first account to execute code of a second account, without gaining access to the code itself and while maintaining the privacy and security of each account. Specifically, aliases for a task of a first account can be created on a task of a second account, and used to invoke that task on behalf of the first account. Aliases may also allow users to customize how the task is executed.

Citations

21 Claims

1. A system to enable cross-account execution of tasks on an on-demand code execution environment, the system comprising:
- a non-transitory data store configured to store tasks, wherein individual tasks are owned by accounts of the on-demand code execution environment and are associated with code executable to implement functionality corresponding to the individual tasks,one or more processors configured with computer-executable instructions to;
  
  receive a request from a user computing device associated with a first account to enable execution of a task owned by a second account, wherein the request comprises one or more customizations to be made when executing the task on behalf of the first account, and wherein the one or more customizations include authentication information to be passed to a virtual machine executing code corresponding to the task for a network resource of the first account;
  
  generate an alias corresponding to the first account, wherein the alias references the task owned by the second account and specifies the one or more customizations;
  
  return, to the user computing device associated with the first account, access information enabling the user computing device to call the alias corresponding to the first account in order to execute the task owned by the second account as modified by the one or more customizations;
  
  receive the call to the alias corresponding to the first account;
  
  select a virtual machine instance within the on-demand code execution environment on which to execute code corresponding to the task owned by the second account, wherein the virtual machine instance is dedicated to at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  execute within the virtual machine instance the code corresponding to the task owned by the second account on behalf of the first account, wherein execution of the code comprises passing to the virtual machine the authentication information for the network resource of the first account.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the one or more processors are further configured with the computer-executable instructions to obtain permissions associated with the task established by a user of the second account, and to verify that the first account complies with the permissions.
  - 3. The system of claim 2, wherein the permissions indicate at least one of individual accounts permitted to generate aliases to the task or types of accounts that are permitted to generate aliases to the task.
  - 4. The system of claim 1, wherein the one or more processors are further configured with the computer-executable instructions to modify the virtual machine instance according to the customizations prior to execution of the code.
  - 5. The system of claim 1, wherein the customizations include at least one of a modification to or addition of a parameter to be passed to the code corresponding to the task when executed on behalf of the first account, a modification of permissions to be given to the virtual machine instance when executing the code, a modification of the execution environment to be used within the virtual machine instance, or a modification of the resources to be provided to the virtual machine instance when executing the code.

6. A computer-implemented method to enable cross-account execution of tasks on an on-demand code execution environment, the computer-implemented method comprising:
- receiving, from a user computing device associated with a first account on the on-demand code execution environment, information defining a task on the on-demand code execution environment, the information comprising computer-executable code that, when executed by a virtual machine instance within the on-demand code execution environment, implement functionality corresponding to the task;
  
  receiving a request from a user computing device associated with a second account to enable execution of the task on behalf of the second account;
  
  returning, to the user computing device associated with the second account, access information enabling the user computing device to call the alias corresponding to the second account in order to execute the task owned by the first account as modified by the one or more customizations;
  
  generating an alias corresponding to the second account, wherein the alias references the task owned by the first account;
  
  receiving a call to the alias corresponding to the second account;
  
  selecting a virtual machine instance within the on-demand code execution environment on which to execute code corresponding to the task, wherein the virtual machine instance is associated with at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  executing within the virtual machine instance the code corresponding to the task on behalf of the second account.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 21)
- - 7. The computer-implemented method of claim 6, wherein the request further comprises one or more customizations to be made when executing the task on behalf of the first account.
  - 8. The computer-implemented method of claim 7 further comprising modifying the virtual machine instance according to the customizations prior to execution of the code.
  - 9. The computer-implemented method of claim 7 further comprising receiving, from the user computing device, authentication information associated with a network resource of the second account, wherein executing within the virtual machine instance the code corresponding to the task on behalf of the second account comprising passing the authentication information to the virtual machine.
  - 10. The computer-implemented method of claim 6, wherein the request further comprises selection criteria to be applied when selecting the virtual machine instance, and wherein selecting the virtual machine instance includes selecting the virtual machine instance according to the selection criteria.
  - 11. The computer-implemented method of claim 6 further comprising monitoring a computing resource usage of the virtual machine instance during execution of the code, and attributing the computing resource usage to the second account.
  - 12. The computer-implemented method of claim 6 further comprising;
    - receiving, from the user computing device associated with the first account, information modifying the task;
      
      applying the information to the task to result in a modified task; and
      
      verifying that the alias complies with the modified task.
  - 13. The computer-implemented method of claim 6 further comprising obtaining, from the user computing device associated with the first account, permissions associated with the task, and verifying that generation of the alias complies with the permissions.
  - 14. The computer-implemented method of claim 6 further comprising obtaining, from the user computing device associated with the first account, permissions associated with the task, and verifying that executing the code corresponding to the task on behalf of the second account complies with the permissions.
  - 15. The computer-implemented method of claim 14, wherein the permissions specify a license that must be associated with the second account prior to execution of the task on behalf of the second account.
  - 20. The computer-implemented method of claim 6, wherein the computer-executable instructions further cause the computing system to monitor a computing resource usage of the virtual machine instance during execution of the code, and attributing the computing resource usage to the second account.
  - 21. The computer-implemented method of claim 6, wherein the computer-executable instructions further cause the computing system to obtain, from the user computing device associated with the first account, permissions associated with the task, and to verify that generation of the alias complies with the permissions.

16. Non-transitory computer-readable storage media including computer-executable instructions that, when executed by a computing system, cause the computing system to:
- receive, from a user computing device associated with a first account on an on-demand code execution environment, information defining a task on the on-demand code execution environment, the information comprising computer-executable code that, when executed by a virtual machine instance within the on-demand code execution environment, implement functionality corresponding to the task;
  
  receive a call to execute the task from a user computing device associated with a second account;
  
  generate an alias corresponding to the second account, wherein the alias references the task owned by the first account;
  
  select a virtual machine instance within the on-demand code execution environment on which to execute code corresponding to the task, wherein the virtual machine instance is associated with at least one of execution of tasks of the first account or execution of tasks of the second account; and
  
  execute within the virtual machine instance the code corresponding to the task on behalf of the second account.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory storage media of claim 16 further comprising receiving a request from the user computing device associated with the second account to enable execution of the task on behalf of the second account, wherein generating the alias corresponding to the second account is in response to receiving the request.
  - 18. The non-transitory storage media of claim 16, further comprising attributing computing resources associated with execution of the code to at least one of the first account or the second account.
  - 19. The non-transitory storage media of claim 16, wherein the request further comprises one or more customizations to be made when executing the task on behalf of the first account, and wherein the computer-executable instructions further cause the computing system to execute the code at least in part by applying the one or more customizations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Wagner, Timothy Allen, Brooker, Marc John, Nair, Ajay, Manwaring, Derek Steven

Granted Patent

US 10,277,708 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/468   Specific access rights for ...

H04L 67/1004   Server selection for load b...

H04L 67/303   Terminal profiles

ON-DEMAND NETWORK CODE EXECUTION WITH CROSS-ACCOUNT ALIASES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ON-DEMAND NETWORK CODE EXECUTION WITH CROSS-ACCOUNT ALIASES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links