Rotating Service Credentials for IBM Cloud Functions
Follow this tutorial to rotate credentials and bind them to IBM Cloud Functions to share with other users.
Join the DZone community and get the full member experience.Join For Free
If you have followed some of my work, you know that I use IBM Cloud Functions, i.e., a serverless approach, for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function and how to rotate the credentials.
Create and Bind Credentials
In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.
Binding services to an IBM Cloud Functions action or package is simple. You create a service key, i.e., credentials, for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either (Cloud Foundry):
ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY
ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE
I prefer to use a combination of date, service and purpose for the key name. So it could be 20190717_Db2_Blogging if created today of a Db2 service with blog-related tests.
Binding the generated service key to the action or package is done like this:
ibmcloud fn service bind SERVICE_TYPE ACTION_or_PACKAGE_NAME --instance MY_SERVICE_INSTANCE --keyname MY_KEY
Rotating Service Credentials
Changing the password or credentials should be done on a regular schedule and after certain events like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be one simply by
- Generating new service credentials, see the example above.
- Binding the new key, e.g., 20191017_Db2_Blogging (3 months from now), to the action or package. See the example above. If the same service instance but a different key is used, then the old service credentials in the binding are replaced. The action or package will use the new credentials.
- Once everything works, delete the old service key. This is accomplished either by ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEYor byibmcloud resource service-key-delete MY_KEY
Creating service credentials and binding them to IBM Cloud Functions actions is needed to build serverless solutions. Rotating the passwords or API keys is the best practice to maintain a higher level of security. It involves a few, easy steps and discipline...
Published at DZone with permission of Henrik Loeser. See the original article here.
Opinions expressed by DZone contributors are their own.