July 29, 2019 By Henrik Loeser 3 min read

A look at security-related aspects of sharing and rotating service credentials

If you have followed some of my work, you know that I use IBM Cloud Functions (a serverless approach) and Cloud Foundry for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. 

In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function or a Cloud Foundry app and how to rotate the credentials.

Create and bind credentials

In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.

Cloud Functions

Binding services to an IBM Cloud Functions action or package is simple. You create a service key (i.e., credentials) for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either Cloud Foundry:

ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY

 Or it can be done by IAM:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

I prefer to use a combination of date, service, and purpose for the key name. So, it could be 20190727_Db2_Blogging if created on 7/27 of a Db2 service with blog-related tests.

Binding the generated service key to the action or package is done like this:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

Rotate service credentials 

Changing the password or credentials should be done on a regular schedule and after certain events, like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be done simply by following these steps:

  1. Generate new service credentials (see the example above).
  2. Bind the new key (e.g., 20191027_Db2_Blogging – 3 months after creation) to the action or package. See the example above. If the same service instance but a different key is used, the old service credentials in the binding are replaced. The action or package will use the new credentials.
  3. Once everything works, delete the old service key. This is accomplished in one of two ways:
    ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEY

    OR

    ibmcloud resource service-key-delete MY_KEY

Cloud Foundry

A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE). 

Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps. 

Service management is built into Cloud Foundry. You can search for them and obtain details about plans and prices, then provision them and combine them with apps in different ways. A common scenario is to bind them to an app. During the bind process, the service broker obtains a set of credentials and shares them with the application environment. During runtime, apps can then discover those credentials and connect to that service instance.

Rotate the credentials

To update (i.e., to rotate passwords or API keys), simply unbind and then bind again the service to the app. Then, the app needs to be either restaged or restarted. This is needed so that the new environment variables are picked up. 

Typically, restaging an app will involve a short downtime. The good news is that there are zero downtime plugins for the Cloud Foundry CLI that keep the app available. Moreover, new zero downtime (ZDT) commands are available as early beta and as part of the IBM Cloud CLI for Cloud Foundry.

I tested rotation of credentials for one of my apps with the new v3-zdt-restart command. The process is as follows:

ibmcloud cf unbind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf bind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf v3-zdt-restart MY_APP

Summary

Creating service credentials and binding them to IBM Cloud Functions actions or Cloud Foundry apps is needed to build solutions. Rotating the passwords or API keys is best practice to maintain a higher level of security. It just involves a few easy steps and some discipline.

We extended the IBM Cloud solution tutorial on combining serverless and Cloud Foundry for data retrieval and analytics by adding a security section on how to rotate credentials. The GitHub repository for that tutorial, github-traffic-stats, offers scripts to automate the rotation. Try it! 

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Was this article helpful?
YesNo

More from Cloud

Apache Kafka use cases: Driving innovation across diverse industries

6 min read - Apache Kafka is an open-source, distributed streaming platform that allows developers to build real-time, event-driven applications. With Apache Kafka, developers can build applications that continuously use streaming data records and deliver real-time experiences to users. Whether checking an account balance, streaming Netflix or browsing LinkedIn, today’s users expect near real-time experiences from apps. Apache Kafka’s event-driven architecture was designed to store data and broadcast events in real-time, making it both a message broker and a storage unit that enables real-time…

Primary storage vs. secondary storage: What’s the difference?

6 min read - What is primary storage? Computer memory is prioritized according to how often that memory is required for use in carrying out operating functions. Primary storage is the means of containing primary memory (or main memory), which is the computer’s working memory and major operational component. The main or primary memory is also called “main storage” or “internal memory.” It holds relatively concise amounts of data, which the computer can access as it functions. Because primary memory is so frequently accessed,…

Cloud investments soar as AI advances

3 min read - These days, cloud news often gets overshadowed by anything and everything related to AI. The truth is they go hand-in-hand since many enterprises use cloud computing to deliver AI and generative AI at scale. "Hybrid cloud and AI are two sides of the same coin because it's all about the data," said Ric Lewis, IBM’s SVP of Infrastructure, at Think 2024. To function well, generative AI systems need to access the data that feeds its models wherever it resides. Enter…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters