On-the-fly creation of transient least privileged roles for serverless functions

The invention claimed is: 1. A method comprising: based on invocation of a first serverless function of a serverless application instantiated on a cloud infrastructure, runtime instrumentation of the first serverless function submitting a role request to an intermediary, wherein the runtime instrumentation submits the role request according to a default role defined for a plurality of instrumented serverless functions of the serverless application, wherein the default role limits the plurality of instrumented serverless functions to communicating with the intermediary; the intermediary reading a set of one or more least privileges for the first serverless function, wherein the set of one or more least privileges were previously determined from analysis of program code of the serverless application; the intermediary communicating with a service associated with the cloud infrastructure to create a first role with the set of one or more least privileges; the intermediary maintaining information to enforce expiration of the first role; and the intermediary returning indication of the first role to the runtime instrumentation for assignment to the first serverless function instantiated on the cloud infrastructure. 2. The method of claim 1 further comprising the runtime instrumentation executing the first serverless function instance with the assigned first role. 3. The method of claim 1 further comprising the intermediary expiring the first role based on determining that an expiration criterion is satisfied. 4. The method of claim 1 further comprising determining least privileges for serverless functions of the serverless application based on at least one of static code analysis and behavior analysis of the serverless application prior to deployment of the serverless application to the cloud infrastructure. 5. The method of claim 1 further comprising: based on detection of an access violation by the first serverless function instance, determining whether the first serverless function instance satisfies an expansion criterion; indicating an additional privilege for the first serverless function based on the access violation; and creating a second role for the first serverless function with the set of one or more least privileges and the additional privilege. 6. The method of claim 5 , wherein determining whether the first serverless function instance satisfies an expansion criterion comprises determining whether the first serverless function instance is executing outside of a warm-up period. 7. The method of claim 1 further comprising: based on detection of an evaluation trigger, for each of a plurality of serverless functions of the serverless application including the first serverless function, determining resources accessed by the serverless function instantiated on the cloud infrastructure; determining whether one or more of a set of privileges indicated as least privileges for the serverless function was not used based on the resources accessed; and removing an unused privilege indicated as a least privilege for the serverless function. 8. The method of claim 1 , wherein the runtime instrumentation submits the role request after authenticating the first serverless function instance with the intermediary. 9. The method of claim 8 , wherein the intermediary maintaining information to enforce expiration of the first role comprises binding the first role to authentication information of the first serverless function instance. 10. A non-transitory, machine-readable medium having program code stored thereon, the program code to: based on receipt of a role creation request for an instance of a first serverless function of a serverless application, determine whether the first serverless function instance successfully authenticates and to read a set of privileges indicated for the first serverless function after successful authentication, wherein the set of privileges was previously determined from analysis of the program code of the serverless application; communicate with a service associated with a cloud infrastructure to create a first role with the set of privileges, wherein the instance of the first serverless function is deployed on the cloud infrastructure; maintain information to enforce expiration of the first role, wherein the program code to maintain information to enforce expiration of the first role comprises program code to bind the first serverless function instance to authentication information of the first serverless function instance; and communicate the first role to the instance of the first serverless function for runtime instrumentation of the first serverless function instance to execute the first serverless function instance with the first role. 11. The machine-readable medium of claim 10 , wherein the program code further comprises program code to expire the first role based on evaluation of the expiration information for the first serverless function instance and an expiration criterion defined for serverless functions of the serverless application. 12. The machine-readable medium of claim 10 , wherein the program code further comprises program code to modify privileges indicated as least privileges for serverless functions based on a determination of an under-permissive role or an over-permissive role. 13. The machine-readable medium of claim 12 , wherein the program code to modify privileges indicated as least privileges for serverless functions based on a determination of an under-permissive role or an over-permissive role comprises program code to indicate an additional privilege for a serverless function of the serverless application based on detection of an access violation by an instance of the serverless function. 14. The machine-readable medium of claim 12 , wherein the program code to modify privileges indicated as least privileges for serverless functions based on a determination of an under-permissive role or an over-permissive role comprises program code to remove a privilege for a serverless function of the serverless application based on a determination that the serverless function did not use an indicated privilege. 15. An apparatus comprising: a processor; and a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, based on receipt of a role creation request for an instance of a first serverless function of a serverless application, determine whether the first serverless function instance successfully authenticates and to read a set of privileges indicated for the first serverless function after successful authentication, wherein the set of privileges was previously determined from analysis of the program code of the serverless application; communicate with a service associated with a cloud infrastructure to create a first role with the set of privileges, wherein the instance of the first serverless function is deployed on the cloud infrastructure; maintain information to enforce expiration of the first role, wherein the instructions to maintain information to enforce expiration of the first role comprise instructions to bind the first serverless function instance to authentication information of the first serverless function instance; and communicate the first role to the instance of the first serverless function for runtime instrumentation of the first serverless function instance to execute the first serverless function instance with the first role. 16. The apparatus of claim 15 , wherein the computer-readable medium further comprises instructions executable by