DZone
Cloud Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Cloud Zone > Rotating Service Credentials for IBM Cloud Functions

Rotating Service Credentials for IBM Cloud Functions

Follow this tutorial to rotate credentials and bind them to IBM Cloud Functions to share with other users.

Henrik Loeser user avatar by
Henrik Loeser
·
Jul. 30, 19 · Cloud Zone · Tutorial
Like (2)
Save
Tweet
2.88K Views

Join the DZone community and get the full member experience.

Join For Free

If you have followed some of my work, you know that I use IBM Cloud Functions, i.e., a serverless approach, for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function and how to rotate the credentials.

Create and Bind Credentials

In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.

Binding services to an IBM Cloud Functions action or package is simple. You create a service key, i.e., credentials, for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either (Cloud Foundry):

 ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY 

or (IAM):

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE 

I prefer to use a combination of date, service and purpose for the key name. So it could be 20190717_Db2_Blogging if created today of a Db2 service with blog-related tests.

Binding the generated service key to the action or package is done like this:

ibmcloud fn service bind SERVICE_TYPE ACTION_or_PACKAGE_NAME --instance MY_SERVICE_INSTANCE --keyname MY_KEY

Rotating Service Credentials

Changing the password or credentials should be done on a regular schedule and after certain events like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be one simply by

  1. Generating new service credentials, see the example above.
  2. Binding the new key, e.g., 20191017_Db2_Blogging (3 months from now), to the action or package. See the example above. If the same service instance but a different key is used, then the old service credentials in the binding are replaced. The action or package will use the new credentials.
  3. Once everything works, delete the old service key. This is accomplished either by ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEYor byibmcloud resource service-key-delete MY_KEY

Conclusions

Creating service credentials and binding them to IBM Cloud Functions actions is needed to build serverless solutions. Rotating the passwords or API keys is the best practice to maintain a higher level of security. It involves a few, easy steps and discipline...

IBM Cloud Cloud computing

Published at DZone with permission of Henrik Loeser. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Cloud-Based Integrations vs. On-Premise Models
  • How to Determine if Microservices Architecture Is Right for Your Business
  • This Is How You Give Good Feedback at Work
  • How To Use Cluster Mesh for Multi-Region Kubernetes Pod Communication

Comments

Cloud Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo