November 10, 2023 By Karan Kumar
Mahesh Kumawat
Enrique Encalada
5 min read

This blog will focus on the integration of IBM Cloud Code Engine and IBM Cloud Event Notifications along with IBM Cloud Secrets Manager to build a robust use case that will automate your certificate renewal process for applications in your code engine project. We will build a simple app using IBM Cloud Code Engine to update your secrets in a Code Engine Project.

The services which we will be using are:

  1. IBM Cloud Code Engine
  2. IBM Cloud Event Notifications
  3. IBM Cloud Secrets Manager

It is not required to have a prerequisite knowledge on these services—although brief knowledge would be good. You can just follow the instructions and you will be able to build this sample application. All the code is provided in the Github URL. Before we continue let me give you a brief knowledge on these services.

What is IBM Cloud Code Engine?

IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, and batch jobs with run-to-completion characteristics. The Code Engine experience is designed so that you can focus on writing code and not on the infrastructure that is needed to host it.

What is IBM Cloud Event Notifications?

IBM Cloud Event Notifications is a routing service that provides you about critical events that occur in your IBM Cloud account. You can filter and route event notifications from IBM Cloud services like IBM Cloud Monitoring, Security and Compliance Center, Secrets Manager, IBM Cloud Projects, and Toolchain to communication channels like email, webhook, slack, IBM Code Engine, et al.

What is IBM Cloud Secrets Manager?

IBM Cloud Secrets Manager is a service where you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated Secrets Manager instance, built on open source.

Embarking Journey with apps and certificates

Let’s say you have your Code Engine Application which has its own secret—TLS Certificate and Private Key. Generally, you would keep these secrets in something like a vault that would manage it. Assume that you store this secret in Secrets Manager. You will also store the same secret in your Code Engine Project where the App resides. So far, all good, your app will be able to use this secret and will be functional.

However, secrets can expire after a certain time period and therefore needs to be renewed. Everything was working fine until the secret expired, your app which uses this secret will be disrupted, thereby affecting your customers.

If you know about Secrets Manager, then you would be familiar that it can also rotate the secrets to new one automatically when they get expired. Let’s say you rotate the secrets in the Secrets Manager. Then what about your Code Engine Project? The secrets won’t be updated there, unless you manually do it. Let’s say you built another Code Engine Application which will retrieve the secrets from the Secrets Manager and update it in the project.

So far so good, but there is still one problem: How will your app know when to update the secret? Unless there was some way the app gets notified when the secrets were rotated in the Secrets Manager. In this scenario you can use Event Notifications to send notification to your app whenever the secret got rotated in the Secrets Manager. When the app gets notified, it can then do the update.

This is what we will do, we will use these different services and automate our secret renewal process. Therefore, you as a user do not have to manually update the secrets and preventing disruptions of your applications due to expired certificates

Let’s dive right in

Clone the repository and hop into the “app-n-event-notification” directory. You would have to create an API Key in your IBM Cloud Account. You would have to insert the API Key in the script. You must log into the IBM Cloud and select the Code Engine Project you want to work on. After that execute the run script and this is what will be happen after execution.

The run script will:

  1. Create an instance in the Secrets Manager and Event Notifications
  2. Create a secret in the Secrets Manager
  3. Build a Code Engine App (code is already provided)
  4. Create same secret in the Code Engine Project
  5. Create necessary sources, topics, destination etc., in Event Notifications
  6. Bind all these components together
  7. Rotate the secrets in Secrets Manager
  8. At last, we will check the logs of the apps to verify if secret got updated in Code Engine Project

Delving deeper: Unraveling the process

Here is an architecture which will help you visualize the components we are working with.

When you execute the run script in the samples, it creates the Event Notifications Instance and Secrets Manager Instance of lite plan in your IBM Cloud Account. We create custom certificates using openssl commands and store in a temporary directory. A secret is created in the Secret Manager and is populated with this certificate and key. Necessary components like topics, sources, destinations, and subscriptions are created in the Event Notification Instance. A Code Engine application is built using local source code and a Code Engine secret is also created containing the same secret (certificate and key). Both the app and secret will reside in the same project selected. At last, we rotate the secret in the Secrets Manager with a new certificate.

When the secret is rotated, your Secrets Manager will act as a source and it will send a notification payload of json structure to Event Notification Topic. The Topic will have a filter which is configured in such a way that it will extract the notification data and check if that particular certificate was rotated. If and only if it that particular certificate was rotated, then it can pass through to the topic. There would be a destination created with the app URL. A subscription would be made between the topic and the destination. When the notification comes to the topic, the Event Notification will invoke the Code Engine Application by sending POST request to it with data being the notification payload. The App is configured in such a way that it will retrieve the secret from Secrets Manager and after that it will update the code engine secret with the retrieved secret.

A word of caution

As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a response timeout from Event Notifications which is 60 seconds. To know more about it check the documentation of retry policy.

Simply put the app should scale up and process the response (i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds. If you consider executing a longer workload then you can use the Code Engine Job for the same. Refer to this documentation to know more about Code Engine Jobs.


We learned and created an automation tool for certificate renewal. If you have your certificates from third-party vendors, then you can refer this documentation on how to connect third-party certificate authorities to Secrets Manager.

Learn more about IBM Cloud Code Engine

More from Cloud

Hybrid cloud examples, applications and use cases

7 min read - To keep pace with the dynamic environment of digitally-driven business, organizations continue to embrace hybrid cloud, which combines and unifies public cloud, private cloud and on-premises infrastructure, while providing orchestration, management and application portability across all three. According to the IBM Transformation Index: State of Cloud, a 2022 survey commissioned by IBM and conducted by an independent research firm, more than 77% of business and IT professionals say they have adopted a hybrid cloud approach. By creating an agile, flexible and…

Tokens and login sessions in IBM Cloud

9 min read - IBM Cloud authentication and authorization relies on the industry-standard protocol OAuth 2.0. You can read more about OAuth 2.0 in RFC 6749—The OAuth 2.0 Authorization Framework. Like most adopters of OAuth 2.0, IBM has also extended some of OAuth 2.0 functionality to meet the requirements of IBM Cloud and its customers. Access and refresh tokens As specified in RFC 6749, applications are getting an access token to represent the identity that has been authenticated and its permissions. Additionally, in IBM…

How to move from IBM Cloud Functions to IBM Code Engine

5 min read - When migrating off IBM Cloud Functions, IBM Cloud Code Engine is one of the possible deployment targets. Code Engine offers apps, jobs and (recently function) that you can (or need) to pick from. In this post, we provide some discussion points and share tips and tricks on how to work with Code Engine functions. IBM Cloud Code Engine is a fully managed, serverless platform to (not only) run your containerized workloads. It has evolved a lot since March 2021, when…

Sensors, signals and synergy: Enhancing Downer’s data exploration with IBM

3 min read - In the realm of urban transportation, precision is pivotal. Downer, a leading provider of integrated services in Australia and New Zealand, considers itself a guardian of the elaborate transportation matrix, and it continually seeks to enhance its operational efficiency. With over 200 trains and a multitude of sensors, Downer has accumulated a vast amount of data. While Downer regularly uncovers actionable insights from their data, their partnership with IBM® Client Engineering aimed to explore the additional potential of this vast dataset,…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters