November 10, 2023 By Karan Kumar
Mahesh Kumawat
Enrique Encalada
5 min read

This blog will focus on the integration of IBM Cloud Code Engine and IBM Cloud Event Notifications along with IBM Cloud Secrets Manager to build a robust use case that will automate your certificate renewal process for applications in your code engine project. We will build a simple app using IBM Cloud Code Engine to update your secrets in a Code Engine Project.

The services which we will be using are:

  1. IBM Cloud Code Engine
  2. IBM Cloud Event Notifications
  3. IBM Cloud Secrets Manager

It is not required to have a prerequisite knowledge on these services—although brief knowledge would be good. You can just follow the instructions and you will be able to build this sample application. All the code is provided in the Github URL. Before we continue let me give you a brief knowledge on these services.

What is IBM Cloud Code Engine?

IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, and batch jobs with run-to-completion characteristics. The Code Engine experience is designed so that you can focus on writing code and not on the infrastructure that is needed to host it.

What is IBM Cloud Event Notifications?

IBM Cloud Event Notifications is a routing service that provides you about critical events that occur in your IBM Cloud account. You can filter and route event notifications from IBM Cloud services like IBM Cloud Monitoring, Security and Compliance Center, Secrets Manager, IBM Cloud Projects, and Toolchain to communication channels like email, webhook, slack, IBM Code Engine, et al.

What is IBM Cloud Secrets Manager?

IBM Cloud Secrets Manager is a service where you can create, lease, and centrally manage secrets that are used in IBM Cloud services or your custom-built applications. Secrets are stored in a dedicated Secrets Manager instance, built on open source.

Embarking Journey with apps and certificates

Let’s say you have your Code Engine Application which has its own secret—TLS Certificate and Private Key. Generally, you would keep these secrets in something like a vault that would manage it. Assume that you store this secret in Secrets Manager. You will also store the same secret in your Code Engine Project where the App resides. So far, all good, your app will be able to use this secret and will be functional.

However, secrets can expire after a certain time period and therefore needs to be renewed. Everything was working fine until the secret expired, your app which uses this secret will be disrupted, thereby affecting your customers.

If you know about Secrets Manager, then you would be familiar that it can also rotate the secrets to new one automatically when they get expired. Let’s say you rotate the secrets in the Secrets Manager. Then what about your Code Engine Project? The secrets won’t be updated there, unless you manually do it. Let’s say you built another Code Engine Application which will retrieve the secrets from the Secrets Manager and update it in the project.

So far so good, but there is still one problem: How will your app know when to update the secret? Unless there was some way the app gets notified when the secrets were rotated in the Secrets Manager. In this scenario you can use Event Notifications to send notification to your app whenever the secret got rotated in the Secrets Manager. When the app gets notified, it can then do the update.

This is what we will do, we will use these different services and automate our secret renewal process. Therefore, you as a user do not have to manually update the secrets and preventing disruptions of your applications due to expired certificates

Let’s dive right in

Clone the repository and hop into the “app-n-event-notification” directory. You would have to create an API Key in your IBM Cloud Account. You would have to insert the API Key in the script. You must log into the IBM Cloud and select the Code Engine Project you want to work on. After that execute the run script and this is what will be happen after execution.

The run script will:

  1. Create an instance in the Secrets Manager and Event Notifications
  2. Create a secret in the Secrets Manager
  3. Build a Code Engine App (code is already provided)
  4. Create same secret in the Code Engine Project
  5. Create necessary sources, topics, destination etc., in Event Notifications
  6. Bind all these components together
  7. Rotate the secrets in Secrets Manager
  8. At last, we will check the logs of the apps to verify if secret got updated in Code Engine Project

Delving deeper: Unraveling the process

Here is an architecture which will help you visualize the components we are working with.

When you execute the run script in the samples, it creates the Event Notifications Instance and Secrets Manager Instance of lite plan in your IBM Cloud Account. We create custom certificates using openssl commands and store in a temporary directory. A secret is created in the Secret Manager and is populated with this certificate and key. Necessary components like topics, sources, destinations, and subscriptions are created in the Event Notification Instance. A Code Engine application is built using local source code and a Code Engine secret is also created containing the same secret (certificate and key). Both the app and secret will reside in the same project selected. At last, we rotate the secret in the Secrets Manager with a new certificate.

When the secret is rotated, your Secrets Manager will act as a source and it will send a notification payload of json structure to Event Notification Topic. The Topic will have a filter which is configured in such a way that it will extract the notification data and check if that particular certificate was rotated. If and only if it that particular certificate was rotated, then it can pass through to the topic. There would be a destination created with the app URL. A subscription would be made between the topic and the destination. When the notification comes to the topic, the Event Notification will invoke the Code Engine Application by sending POST request to it with data being the notification payload. The App is configured in such a way that it will retrieve the secret from Secrets Manager and after that it will update the code engine secret with the retrieved secret.

A word of caution

As we have seen that Event Notification will invoke our application via sending POST request to it with the notification. But there is one caveat here, there is a response timeout from Event Notifications which is 60 seconds. To know more about it check the documentation of retry policy.

Simply put the app should scale up and process the response (i.e retrieve secret from Secrets Manager and update it in the project) within 60 seconds. If you consider executing a longer workload then you can use the Code Engine Job for the same. Refer to this documentation to know more about Code Engine Jobs.


We learned and created an automation tool for certificate renewal. If you have your certificates from third-party vendors, then you can refer this documentation on how to connect third-party certificate authorities to Secrets Manager.

Learn more about IBM Cloud Code Engine

More from Cloud

The advantages and disadvantages of hybrid cloud

6 min read - With the rapid advancements in cloud computing, data management and artificial intelligence (AI), hybrid cloud plays an integral role in next-generation IT infrastructure. Enterprise-level businesses rely on hybrid cloud solutions to run critical workloads from anywhere by combining and unifying on-premises, private cloud and public cloud environments. Just like any other IT solution, adopting a successful hybrid cloud strategy starts with examining how this cloud computing architecture can drive overall business objectives. As an initial step, business and IT leaders…

IBM Tech Now: December 11, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 90 On this episode, we're covering the following topics: IBM Quantum Heron IBM Quantum System Two The GA of watsonx.governance Stay plugged in You can check out the IBM Blog Announcements for a full…

Get ready for change with IBM Cloud Training

2 min read - As generative AI creates new opportunities and transforms cloud operations, it is crucial to learn how to maximize the value of these tools. A recent report from the IBM Institute for Business Value found that 68% of hybrid cloud users already have a formal, organization-wide policy or approach for the use of generative AI. That same report also noted that 58% of global decision makers say that cloud skills remain a considerable challenge. Being proactive in your learning can significantly…

Data center consolidation: Strategy and best practices

7 min read - The modern pace of data creation is staggering. The average organization produces data constantly—perhaps even continuously—and soon it’s investing in servers to provide ample storage for that information. In time, and probably sooner than expected, the organization accrues more data and outgrows that server, so it invests in multiple servers. Or that company could tie into a data center, which is built to accommodate even larger warehouses of information. But the creation of new data never slows for long. And…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters