Skip to main content

Secure FastAPI in the Cloud

A compact FastAPI reference app with a working Books API, rich request logging, and balanced guidance for authentication and deployment on AWS, GCP, and Azure.

Get Started โ†’GitHub

6

Books Endpoints

3

Cloud Providers

0

Secrets in Code

FastAPIAWSGCPAzure
main.py
from fastapi import FastAPI, Query
from pydantic import BaseModel

class BookListResponse(BaseModel):
  items: list[BookResponse]
  total: int
  skip: int
  limit: int

@app.get("/api/v1/books", response_model=BookListResponse)
async def list_books(skip: int = Query(0, ge=0), limit: int = Query(20, ge=1, le=100)):
  return paginate_books(list(store.values()), skip=skip, limit=limit)

What The Docs Cover

Concepts first, implementation second

Six core topics covered by the documentation. The live demo app implements the API-focused pieces and stays intentionally small.

JWT Bearer Auth

Stateless, self-contained tokens with short expiry. Verify cryptographically โ€” no DB round-trip per request. Powered by HS256 or RS256.

Cloud IAM / Workload Identity

Zero secrets in code. IRSA on AWS, Workload Identity on GCP, Managed Identity on Azure. Your app gets short-lived tokens automatically from the platform.

Enterprise SSO

Cognito (AWS), Google Identity (GCP), or Microsoft Entra ID โ€” enterprise login with MFA, conditional access, and app roles. JWKS-validated RS256 tokens.

RBAC Scopes

Fine-grained authorization with OAuth2 scopes. Use Security() โ€” not just Depends() โ€” to cleanly enforce access per endpoint.

Pydantic v2 Models

Separate request/response models so internal fields never leak. model_dump(exclude_unset=True) for clean partial updates.

Auto OpenAPI 3.1

Interactive Swagger UI and ReDoc generated from your type annotations โ€” no YAML to maintain. Security schemes auto-wired.

The Big Picture

Three auth patterns, one decision

These patterns are not mutually exclusive โ€” a production app typically uses all three simultaneously. Choose based on who or what is being authenticated.

01
User-facing Auth

JWT Bearer

Use when: Generic internet users โ€” mobile apps, SPAs, public APIs.

โ†’User sends credentials
โ†’Server issues signed JWT
โ†’Client attaches Bearer token
โ†’Server verifies cryptographically โ€” no DB hit
Read the guide โ†’
02
Outbound Service Auth

Cloud IAM / Workload Identity

Use when: Your app talking to managed cloud services (databases, queues, secrets) โ€” zero secrets in code on any cloud.

โ†’App requests token from platform metadata service
โ†’Cloud IAM issues short-lived credential
โ†’App presents token to cloud service
โ†’Service validates โ€” no password ever stored
Read the guide โ†’
03
Enterprise SSO

Enterprise IdP

Use when: Corporate users who authenticate via Cognito (AWS), Google Identity (GCP), or Entra ID (Azure) โ€” with MFA and role-based access.

โ†’User logs in via enterprise IdP (MFA, conditional access)
โ†’IdP issues RS256 JWT with app roles / groups
โ†’FastAPI fetches JWKS, validates token
โ†’Roles claim drives authorization
Read the guide โ†’

Deploy Anywhere

Pick your cloud provider

All targets support platform-native IAM โ€” no long-lived credentials stored anywhere in your deployment pipeline.

AWS

Most Adopted

Lambda ยท EKS ยท Elastic Beanstalk

โœ“

Lambda

Serverless, pay-per-invocation with IRSA for secrets

โœ“

EKS

Kubernetes with IRSA for per-pod IAM

โœ“

Elastic Beanstalk

PaaS with one-command deploys

BEST FOR

Teams already on AWS โ€” native IAM, ECR, RDS, and Secrets Manager integration

Deployment guide โ†’

Google Cloud

Best Serverless Containers

Cloud Run ยท App Engine ยท GKE

โœ“

Cloud Run

Container-native serverless, scales to zero

โœ“

App Engine

Managed PaaS with automatic scaling

โœ“

GKE

Autopilot or standard Kubernetes with Workload Identity

BEST FOR

Container-first teams โ€” Cloud Run is the simplest serverless container on any cloud

Deployment guide โ†’

Azure

Deep Microsoft Integration

Functions ยท App Service ยท AKS

โœ“

Azure Functions

Serverless with Managed Identity built-in

โœ“

App Service

PaaS with deployment slots and Key Vault refs

โœ“

AKS

Kubernetes with Workload Identity Federation

BEST FOR

Teams using Microsoft 365, Entra ID, or Azure DevOps โ€” native identity federation

Deployment guide โ†’

Quick Start

Up and running in 60 seconds

The live demo focuses on the Books API and observability basics. Hit /docs for the interactive Swagger UI. Auth and deployment patterns are explained in the docs alongside the running demo.

Full Setup Guide โ†’
zsh
$
git clone https://github.com/jaredthivener/python-demo# clone the repo
$
cd python-demo
$
uv sync --group dev# install dependencies
$
uvicorn main:app --reload --no-access-log# start the server

INFO: ย ย  Started server process
INFO: ย ย  Waiting for application startup.
INFO: ย ย  Application startup complete.
INFO: ย ย  Uvicorn running on http://127.0.0.1:8000