Security
Secure Feast with SSL/TLS, Authentication and Authorization.
This page applies to Feast 0.7. The content may be out of date for Feast 0.8+
Overview

Feast supports the following security methods:
Important considerations when integrating Authentication/Authorization.
SSL/TLS
Feast supports SSL/TLS encrypted inter-service communication among Feast Core, Feast Online Serving, and Feast SDKs.
Configuring SSL/TLS on Feast Core and Feast Serving
The following properties configure SSL/TLS. These properties are located in their corresponding application.yml
files:
Configuration Property
Description
grpc.server.security.enabled
Enables SSL/TLS functionality if true
grpc.server.security.certificateChain
Provide the path to certificate chain.
grpc.server.security.privateKey
Provide the to private key.
Read more on enabling SSL/TLS in the gRPC starter docs.
Configuring SSL/TLS on Python SDK/CLI
To enable SSL/TLS in the Feast Python SDK or Feast CLI, set the config options via feast config
:
Configuration Option
Description
core_enable_ssl
Enables SSL/TLS functionality on connections to Feast core if true
serving_enable_ssl
Enables SSL/TLS functionality on connections to Feast Online Serving if true
core_server_ssl_cert
Optional. Specifies the path of the root certificate used to verify Core Service's identity. If omitted, uses system certificates.
serving_server_ssl_cert
Optional. Specifies the path of the root certificate used to verify Serving Service's identity. If omitted, uses system certificates.
Configuring SSL/TLS on Go SDK
Configure SSL/TLS on the Go SDK by passing configuration via SecurityConfig
:
cli, err := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
EnableTLS: true,
TLSCertPath: "/path/to/cert.pem",
})Option
Config Option
Description
EnableTLS
Enables SSL/TLS functionality when connecting to Feast if true
TLSCertPath
Optional. Provides the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.
Configuring SSL/TLS on Java SDK
Configure SSL/TLS on the Feast Java SDK by passing configuration via SecurityConfig
:
FeastClient client = FeastClient.createSecure("localhost", 6566,
SecurityConfig.newBuilder()
.setTLSEnabled(true)
.setCertificatePath(Optional.of("/path/to/cert.pem"))
.build());
Config Option
Description
setTLSEnabled()
Enables SSL/TLS functionality when connecting to Feast if true
setCertificatesPath()
Optional. Set the path of the root certificate used to verify Feast Service's identity. If omitted, uses system certificates.
Authentication
To prevent man in the middle attacks, we recommend that SSL/TLS be implemented prior to authentication.
Authentication can be implemented to identify and validate client requests to Feast Core and Feast Online Serving. Currently, Feast uses Open ID Connect (OIDC) ID tokens (i.e. Google Open ID Connect) to authenticate client requests.
Configuring Authentication in Feast Core and Feast Online Serving
Authentication can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml
files:
Configuration Property
Description
feast.security.authentication.enabled
Enables Authentication functionality if true
feast.security.authentication.provider
Authentication Provider type. Currently only supports jwt
feast.security.authentication.option.jwkEndpointURI
HTTPS URL used by Feast to retrieved the JWK used to verify OIDC ID tokens.
Behind the scenes, Feast Core and Feast Online Serving authenticate by:
Extracting the OIDC ID token
TOKEN
from gRPC metadata submitted with request:
('authorization', 'Bearer: TOKEN')
Validates token's authenticity using the JWK retrieved from the
jwkEndpointURI
Authenticating Serving with Feast Core
Feast Online Serving communicates with Feast Core during normal operation. When both authentication and authorization are enabled on Feast Core, Feast Online Serving is forced to authenticate its requests to Feast Core. Otherwise, Feast Online Serving produces an Authentication failure error when connecting to Feast Core.
Properties used to configure Serving authentication via application.yml
:
Configuration Property
Description
feast.core-authentication.enabled
Requires Feast Online Serving to authenticate when communicating with Feast Core.
feast.core-authentication.provider
Selects provider Feast Online Serving uses to retrieve credentials then used to authenticate requests to Feast Core. Valid providers are google
and oauth
.
Google Provider automatically extracts the credential from the credential JSON file.
Set
GOOGLE_APPLICATION_CREDENTIALS
environment variable to the path of the credential in the JSON file.
Enabling Authentication in Python SDK/CLI
Configure the Feast Python SDK and Feast CLI to use authentication via feast config
:
$ feast config set enable_auth true
Configuration Option
Description
enable_auth
Enables authentication functionality if set to true
.
auth_provider
Use an authentication provider to obtain a credential for authentication. Currently supports google
and oauth
.
auth_token
Manually specify a static token for use in authentication. Overrules auth_provider
if both are set.
Google Provider automatically finds and uses Google Credentials to authenticate requests:
Google Provider automatically uses established credentials for authenticating requests if you are already authenticated with the
gcloud
CLI via:
$ gcloud auth application-default login
Alternatively Google Provider can be configured to use the credentials in the JSON file via
GOOGLE_APPLICATION_CREDENTIALS
environmental variable (Google Cloud Authentication documentation):
$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
Enabling Authentication in Go SDK
Configure the Feast Java SDK to use authentication by specifying the credential via SecurityConfig
:
// error handling omitted.
// Use Google Credential as provider.
cred, _ := feast.NewGoogleCredential("localhost:6566")
cli, _ := feast.NewSecureGrpcClient("localhost", 6566, feast.SecurityConfig{
// Specify the credential to provide tokens for Feast Authentication.
Credential: cred,
})
Google Credential uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS
environmental variable (Google Cloud Authentication documentation) to obtain tokens for Authenticating Feast requests:
Exporting
GOOGLE_APPLICATION_CREDENTIALS
$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
Create a Google Credential with target audience.
cred, _ := feast.NewGoogleCredential("localhost:6566")
Target audience of the credential should be set to host URL of target Service. (ie
https://localhost
if Service listens onlocalhost
):
Enabling Authentication in Java SDK
Configure the Feast Java SDK to use authentication by setting credentials via SecurityConfig
:
// Use GoogleAuthCredential as provider.
CallCredentials credentials = new GoogleAuthCredentials(
Map.of("audience", "localhost:6566"));
FeastClient client = FeastClient.createSecure("localhost", 6566,
SecurityConfig.newBuilder()
// Specify the credentials to provide tokens for Feast Authentication.
.setCredentials(Optional.of(creds))
.build());
GoogleAuthCredentials uses Service Account credentials JSON file set viaGOOGLE_APPLICATION_CREDENTIALS
environmental variable (Google Cloud authentication documentation) to obtain tokens for Authenticating Feast requests:
Exporting
GOOGLE_APPLICATION_CREDENTIALS
$ export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
Create a Google Credential with target audience.
CallCredentials credentials = new GoogleAuthCredentials(
Map.of("audience", "localhost:6566"));
Target audience of the credentials should be set to host URL of target Service. (ie
https://localhost
if Service listens onlocalhost
):
Authorization
Authorization provides access control to FeatureTables and/or Features based on project membership. Users who are members of a project are authorized to:
Create and/or Update a Feature Table in the Project.
Retrieve Feature Values for Features in that Project.
Authorization API/Server

Feast delegates Authorization grants to an external Authorization Server that implements the Authorization Open API specification.
Feast checks whether a user is authorized to make a request by making a
checkAccessRequest
to the Authorization Server.The Authorization Server should return a
AuthorizationResult
with whether the user is allowed to make the request.
Authorization can be configured for Feast Core and Feast Online Serving via properties in their corresponding application.yml
Configuration Property
Description
feast.security.authorization.enabled
Enables authorization functionality if true
.
feast.security.authorization.provider
Authentication Provider type. Currently only supports http
feast.security.authorization.option.authorizationUrl
URL endpoint of Authorization Server to make check access requests to.
feast.security.authorization.option.subjectClaim
Optional. Name of the claim of the to extract from the ID Token to include in the check access request as Subject.
Authentication & Authorization
When using Authentication & Authorization, consider:
Enabling Authentication without Authorization makes authentication optional. You can still send unauthenticated requests.
Enabling Authorization forces all requests to be authenticated. Requests that are not authenticated are dropped.
Last updated
Was this helpful?