A look at security-related aspects of sharing and rotating service credentials
If you have followed some of my work, you know that I use IBM Cloud Functions (a serverless approach) and Cloud Foundry for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples.
In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function or a Cloud Foundry app and how to rotate the credentials.
Create and bind credentials
In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.
Binding services to an IBM Cloud Functions action or package is simple. You create a service key (i.e., credentials) for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either Cloud Foundry:
Or it can be done by IAM:
I prefer to use a combination of date, service, and purpose for the key name. So, it could be 20190727_Db2_Blogging if created on 7/27 of a Db2 service with blog-related tests.
Binding the generated service key to the action or package is done like this:
Rotate service credentials
Changing the password or credentials should be done on a regular schedule and after certain events, like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be done simply by following these steps:
- Generate new service credentials (see the example above).
- Bind the new key (e.g., 20191027_Db2_Blogging – 3 months after creation) to the action or package. See the example above. If the same service instance but a different key is used, the old service credentials in the binding are replaced. The action or package will use the new credentials.
- Once everything works, delete the old service key. This is accomplished in one of two ways: OR
A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE).
Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps.
Service management is built into Cloud Foundry. You can search for them and obtain details about plans and prices, then provision them and combine them with apps in different ways. A common scenario is to bind them to an app. During the bind process, the service broker obtains a set of credentials and shares them with the application environment. During runtime, apps can then discover those credentials and connect to that service instance.
Rotate the credentials
To update (i.e., to rotate passwords or API keys), simply unbind and then bind again the service to the app. Then, the app needs to be either restaged or restarted. This is needed so that the new environment variables are picked up.
Typically, restaging an app will involve a short downtime. The good news is that there are zero downtime plugins for the Cloud Foundry CLI that keep the app available. Moreover, new zero downtime (ZDT) commands are available as early beta and as part of the IBM Cloud CLI for Cloud Foundry.
I tested rotation of credentials for one of my apps with the new v3-zdt-restart command. The process is as follows:
Creating service credentials and binding them to IBM Cloud Functions actions or Cloud Foundry apps is needed to build solutions. Rotating the passwords or API keys is best practice to maintain a higher level of security. It just involves a few easy steps and some discipline.
We extended the IBM Cloud solution tutorial on combining serverless and Cloud Foundry for data retrieval and analytics by adding a security section on how to rotate credentials. The GitHub repository for that tutorial, github-traffic-stats, offers scripts to automate the rotation. Try it!