Application installation management by selectively reuse or terminate virtual machines based on a process status
US-8997093-B2 · Mar 31, 2015 · US
Multi-tenant mode for serverless code execution
US12015603B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12015603-B2 |
| Application number | US-202117643784-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 10, 2021 |
| Priority date | Dec 10, 2021 |
| Publication date | Jun 18, 2024 |
| Grant date | Jun 18, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are described for a multi-tenant mode of a serverless code execution system. For instance, a method may include maintaining a set of execution environments, wherein each execution environment is associated with a serverless function, wherein the serverless function is associated with a software as a service (SaaS) provider that is a tenant of a cloud services provider, wherein the SaaS provider provides services to sub-tenants, wherein the set of execution environments are partitioned based on sub-tenants of the SaaS provider; receiving a call to execute a serverless function, wherein the call includes a serverless function identifier and a sub-tenant identifier; identifying a sub-tenant-specific execution environment of the set of execution environments that is associated with the sub-tenant; and in response to identifying the tenant-specific execution environment, invoking the serverless function on the sub-tenant-specific execution environment.
First claim
Opening claim text (preview).
What is claimed is: 1. A serverless code execution system comprising: one or more data stores including information for a set of identity and access management (IAM) policies defining access to a serverless function hosted by the serverless code execution system, wherein the serverless function is associated with a software as a service (SaaS) provider; one or more worker devices hosting a set of execution environments, wherein each execution environment is associated with the serverless function, and wherein the set of execution environments are partitioned based on sub-tenants of the SaaS provider; and one or more computing devices of the serverless code execution system configured to: receive a call to execute a serverless function, wherein the call includes a serverless function identifier and a sub-tenant identifier; determine whether the serverless function is configured for a multi-tenant mode of the serverless code execution system based on the serverless function identifier; in response to determining the serverless function is configured for the multi-tenant mode of the serverless code execution system, determine whether the call is authorized to proceed based on at least an IAM policy of the set of IAM policies; in response to determining the call is authorized to proceed, determine a sub-tenant of the sub-tenants based on the sub-tenant identifier; in response to determining the sub-tenant, identify a sub-tenant-specific execution environment of the set of execution environments that is associated with the sub-tenant, wherein other calls to execute the serverless function from other sub-tenants of the sub-tenants are blocked from being invoked on the sub-tenant-specific execution environment; and in response to identifying the sub-tenant-specific execution environment, invoke the serverless function on the sub-tenant-specific execution environment. 2. The serverless code execution system of claim 1 , wherein the one or more computing devices are further configured to, using the sub-tenant-specific execution environment, interact with one or more tenant services to access sub-tenant data, in accordance with an authentication token indicating the sub-tenant. 3. The serverless code execution system of claim 1 , wherein, to identify the sub-tenant-specific execution environment associated with the sub-tenant, the one or more computing devices are further configured to: determine whether any execution environment of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier; and in response to determining none of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier, instantiate the sub-tenant-specific execution environment, wherein, to instantiate the sub-tenant-specific execution environment, the one or more computing devices generate the sub-tenant-specific execution environment with an authentication token so that the sub-tenant-specific execution environment assumes the role of the sub-tenant. 4. The serverless code execution system of claim 3 , wherein, to instantiate the sub-tenant-specific execution environment, the one or more computing devices are further configured to select a non-tenant-specific execution environment in a warm state to be modified into the sub-tenant-specific execution environment, or create the sub-tenant-specific execution environment, wherein the one or more computing devices of the serverless code execution system pass the authentication token to the sub-tenant-specific execution environment. 5. A computer-implemented method comprising: maintaining, by a multi-tenant cloud services provider, a set of execution environments, wherein each execution environment is associated with a serverless function, wherein the serverless function is associated with a software as a service (SaaS) provider that is a tenant of the cloud services provider, wherein the SaaS provider provides services to a plurality of sub-tenants, wherein the set of execution environments are partitioned based on sub-tenants of the SaaS provider; receiving a call to execute a serverless function, wherein the call includes a serverless function identifier and a sub-tenant identifier; identifying a sub-tenant-specific execution environment of the set of execution environments that is associated with the sub-tenant identifier; and invoking the serverless function on the sub-tenant-specific execution environment. 6. The computer-implemented method of claim 5 , further comprising, using the sub-tenant-specific execution environment, interacting with one or more tenant services to access tenant data, in accordance with an authentication token indicating the sub-tenant. 7. The computer-implemented method of claim 5 , wherein identifying the sub-tenant-specific execution environment that is associated with the sub-tenant includes: determining whether any execution environment of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier; and in response to determining none of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier, instantiating the sub-tenant-specific execution environment, wherein instantiating the sub-tenant-specific execution environment includes generating the sub-tenant-specific execution environment with an authentication token so that the sub-tenant-specific execution environment assumes the role of the sub-tenant. 8. The computer-implemented method of claim 7 , wherein instantiating the sub-tenant-specific execution environment includes selecting a non-tenant-specific execution environment in a warm state to be modified into the sub-tenant-specific execution environment, or creating the sub-tenant-specific execution environment, wherein the sub-tenant-specific execution environment obtains the authentication token based on the sub-tenant identifier. 9. The computer-implemented method of claim 5 , wherein identifying the sub-tenant-specific execution environment associated with the sub-tenant includes: determining whether any execution environment of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier; and in response to determining at least one execution environment of the set of execution environments are associated with the sub-tenant identifier and the serverless function identifier, selecting an execution environment of the at least one execution environment to be the sub-tenant-specific execution environment. 10. The computer-implemented method of claim 9 , further comprising, before selecting the execution environment of the at least one execution environment to be the sub-tenant-specific execution environment, determining whether any of the at least one execution environment are available to handle the call. 11. The computer-implemented method of claim 5 , further comprising, before invoking the serverless function on the sub-tenant-specific execution environment, determining whether the call is authorized to proceed based on at least an IAM policy of a set of IAM policies and/or a context of the call. 12. The computer-implemented method of claim 11 , wherein determining whether the call is authorized to proceed based on the context includes retrieving contextual data; determining whether one or more conditions are satisfied to limit call rates; and in response to none of the one or more conditions are satisfied, determining the call is authorized to proceed. 13. One or more non-transitory computer-readable med
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Logical partitioning of resources; Management or configuration of virtualized resources (specific details on emulation or internal functioning of virtual machines G06F9/455) · CPC title
- H04L63/083Primary
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
- G06F9/5072Primary
Grid computing · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12015603B2 cover?
- Systems and methods are described for a multi-tenant mode of a serverless code execution system. For instance, a method may include maintaining a set of execution environments, wherein each execution environment is associated with a serverless function, wherein the serverless function is associated with a software as a service (SaaS) provider that is a tenant of a cloud services provider, where…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 18 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).