November 10, 2023 By Karan Kumar
Mahesh Kumawat
Enrique Encalada
5 min read

This blog will focus on the integration of IBM Cloud Code Engine and IBM Cloud Event Notifications along with IBM Cloud Secrets Manager to build a robust use case that will automate your certificate renewal process for applications in your code engine project. We will build a simple app using IBM Cloud Code Engine to update your secrets in a Code Engine Project.

The services which we will be using are:

  1. IBM Cloud Code Engine
  2. IBM Cloud Event Notifications
  3. IBM Cloud Secrets Manager

It is not required to have a prerequisite knowledge on these services—although brief knowledge would be good. You can just follow the instructions and you will be able to build this sample application. All the code is provided in the Github URL. Before we continue let me give you a brief knowledge on these services.

What is IBM Cloud Code Engine?

IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, and batch jobs with run-to-completion characteristics. The Code Engine experience is designed so that you can focus on writing code and not on the infrastructure that is needed to host it.

What is IBM Cloud Event Notifications?

IBM Cloud Event Notifications is a routing service that provides you about critical events that occur in your IBM Cloud account. You can filter and route event notifications from IBM Cloud services like IBM Cloud Monitoring, Security and Compliance Center, Secrets Manager, IBM Cloud Projects, and Toolchain to communication channels like email, webhook, slack, IBM Code Engine, et al.

What is IBM Cloud Secrets Manager?

IBM Cloud Secrets Manager is a service where you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated Secrets Manager instance, built on open source.

Embarking Journey with apps and certificates

Let’s say you have your Code Engine Application which has its own secret—TLS Certificate and Private Key. Generally, you would keep these secrets in something like a vault that would manage it. Assume that you store this secret in Secrets Manager. You will also store the same secret in your Code Engine Project where the App resides. So far, all good, your app will be able to use this secret and will be functional.

However, secrets can expire after a certain time period and therefore needs to be renewed. Everything was working fine until the secret expired, your app which uses this secret will be disrupted, thereby affecting your customers.

If you know about Secrets Manager, then you would be familiar that it can also rotate the secrets to new one automatically when they get expired. Let’s say you rotate the secrets in the Secrets Manager. Then what about your Code Engine Project? The secrets won’t be updated there, unless you manually do it. Let’s say you built another Code Engine Application which will retrieve the secrets from the Secrets Manager and update it in the project.

So far so good, but there is still one problem: How will your app know when to update the secret? Unless there was some way the app gets notified when the secrets were rotated in the Secrets Manager. In this scenario you can use Event Notifications to send notification to your app whenever the secret got rotated in the Secrets Manager. When the app gets notified, it can then do the update.

This is what we will do, we will use these different services and automate our secret renewal process. Therefore, you as a user do not have to manually update the secrets and preventing disruptions of your applications due to expired certificates

Let’s dive right in

Clone the repository and hop into the “app-n-event-notification” directory. You would have to create an API Key in your IBM Cloud Account. You would have to insert the API Key in the script. You must log into the IBM Cloud and select the Code Engine Project you want to work on. After that execute the run script and this is what will be happen after execution.

The run script will:

  1. Create an instance in the Secrets Manager and Event Notifications
  2. Create a secret in the Secrets Manager
  3. Build a Code Engine App (code is already provided)
  4. Create same secret in the Code Engine Project
  5. Create necessary sources, topics, destination etc., in Event Notifications
  6. Bind all these components together
  7. Rotate the secrets in Secrets Manager
  8. At last, we will check the logs of the apps to verify if secret got updated in Code Engine Project

Delving deeper: Unraveling the process

Here is an architecture which will help you visualize the components we are working with.

When you execute the run script in the samples, it creates the Event Notifications Instance and Secrets Manager Instance of lite plan in your IBM Cloud Account. We create custom certificates using openssl commands and store in a temporary directory. A secret is created in the Secret Manager and is populated with this certificate and key. Necessary components like topics, sources, destinations, and subscriptions are created in the Event Notification Instance. A Code Engine application is built using local source code and a Code Engine secret is also created containing the same secret (certificate and key). Both the app and secret will reside in the same project selected. At last, we rotate the secret in the Secrets Manager with a new certificate.

When the secret is rotated, your Secrets Manager will act as a source and it will send a notification payload of json structure to Event Notification Topic. The Topic will have a filter which is configured in such a way that it will extract the notification data and check if that particular certificate was rotated. If and only if it that particular certificate was rotated, then it can pass through to the topic. There would be a destination created with the app URL. A subscription would be made between the topic and the destination. When the notification comes to the topic, the Event Notification will invoke the Code Engine Application by sending POST request to it with data being the notification payload. The App is configured in such a way that it will retrieve the secret from Secrets Manager and after that it will update the code engine secret with the retrieved secret.

A word of caution

As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a response timeout from Event Notifications which is 60 seconds. To know more about it check the documentation of retry policy.

Simply put the app should scale up and process the response (i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds. If you consider executing a longer workload then you can use the Code Engine Job for the same. Refer to this documentation to know more about Code Engine Jobs.


We learned and created an automation tool for certificate renewal. If you have your certificates from third-party vendors, then you can refer this documentation on how to connect third-party certificate authorities to Secrets Manager.

Learn more about IBM Cloud Code Engine
Was this article helpful?

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters