Cloud
Security
July 29, 2019 By Henrik Loeser 3 min read

A look at security-related aspects of sharing and rotating service credentials

If you have followed some of my work, you know that I use IBM Cloud Functions (a serverless approach) and Cloud Foundry for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. 

In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function or a Cloud Foundry app and how to rotate the credentials.

Create and bind credentials

In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.

Cloud Functions

Binding services to an IBM Cloud Functions action or package is simple. You create a service key (i.e., credentials) for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either Cloud Foundry:

ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY

 Or it can be done by IAM:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

I prefer to use a combination of date, service, and purpose for the key name. So, it could be 20190727_Db2_Blogging if created on 7/27 of a Db2 service with blog-related tests.

Binding the generated service key to the action or package is done like this:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

Rotate service credentials 

Changing the password or credentials should be done on a regular schedule and after certain events, like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be done simply by following these steps:

  1. Generate new service credentials (see the example above).
  2. Bind the new key (e.g., 20191027_Db2_Blogging – 3 months after creation) to the action or package. See the example above. If the same service instance but a different key is used, the old service credentials in the binding are replaced. The action or package will use the new credentials.
  3. Once everything works, delete the old service key. This is accomplished in one of two ways: 
    ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEY

    OR

    ibmcloud resource service-key-delete MY_KEY

Cloud Foundry

A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE). 

Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps. 

Service management is built into Cloud Foundry. You can search for them and obtain details about plans and prices, then provision them and combine them with apps in different ways. A common scenario is to bind them to an app. During the bind process, the service broker obtains a set of credentials and shares them with the application environment. During runtime, apps can then discover those credentials and connect to that service instance.

Rotate the credentials

To update (i.e., to rotate passwords or API keys), simply unbind and then bind again the service to the app. Then, the app needs to be either restaged or restarted. This is needed so that the new environment variables are picked up. 

Typically, restaging an app will involve a short downtime. The good news is that there are zero downtime plugins for the Cloud Foundry CLI that keep the app available. Moreover, new zero downtime (ZDT) commands are available as early beta and as part of the IBM Cloud CLI for Cloud Foundry.

I tested rotation of credentials for one of my apps with the new v3-zdt-restart command. The process is as follows:

ibmcloud cf unbind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf bind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf v3-zdt-restart MY_APP

Summary

Creating service credentials and binding them to IBM Cloud Functions actions or Cloud Foundry apps is needed to build solutions. Rotating the passwords or API keys is best practice to maintain a higher level of security. It just involves a few easy steps and some discipline.

We extended the IBM Cloud solution tutorial on combining serverless and Cloud Foundry for data retrieval and analytics by adding a security section on how to rotate credentials. The GitHub repository for that tutorial, github-traffic-stats, offers scripts to automate the rotation. Try it! 

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Was this article helpful?
YesNo
Henrik Loeser
Technical Offering Manager / Developer Advocate

More from Cloud
April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

April 4, 2024

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

March 29, 2024

Optimize observability with IBM Cloud Logs to help improve infrastructure and app performance

5 min read - There is a dilemma facing infrastructure and app performance—as workloads generate an expanding amount of observability data, it puts increased pressure on collection tool abilities to process it all. The resulting data stress becomes expensive to manage and makes it harder to obtain actionable insights from the data itself, making it harder to have fast, effective, and cost-efficient performance management. A recent IDC study found that 57% of large enterprises are either collecting too much or too little observability data.…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters