Cloud
Security
July 29, 2019 By Henrik Loeser 3 min read

A look at security-related aspects of sharing and rotating service credentials

If you have followed some of my work, you know that I use IBM Cloud Functions (a serverless approach) and Cloud Foundry for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. 

In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function or a Cloud Foundry app and how to rotate the credentials.

Create and bind credentials

In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.

Cloud Functions

Binding services to an IBM Cloud Functions action or package is simple. You create a service key (i.e., credentials) for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either Cloud Foundry:

ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY

 Or it can be done by IAM:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

I prefer to use a combination of date, service, and purpose for the key name. So, it could be 20190727_Db2_Blogging if created on 7/27 of a Db2 service with blog-related tests.

Binding the generated service key to the action or package is done like this:

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

Rotate service credentials 

Changing the password or credentials should be done on a regular schedule and after certain events, like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be done simply by following these steps:

  1. Generate new service credentials (see the example above).
  2. Bind the new key (e.g., 20191027_Db2_Blogging – 3 months after creation) to the action or package. See the example above. If the same service instance but a different key is used, the old service credentials in the binding are replaced. The action or package will use the new credentials.
  3. Once everything works, delete the old service key. This is accomplished in one of two ways: 
    ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEY

    OR

    ibmcloud resource service-key-delete MY_KEY

Cloud Foundry

A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE). 

Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps. 

Service management is built into Cloud Foundry. You can search for them and obtain details about plans and prices, then provision them and combine them with apps in different ways. A common scenario is to bind them to an app. During the bind process, the service broker obtains a set of credentials and shares them with the application environment. During runtime, apps can then discover those credentials and connect to that service instance.

Rotate the credentials

To update (i.e., to rotate passwords or API keys), simply unbind and then bind again the service to the app. Then, the app needs to be either restaged or restarted. This is needed so that the new environment variables are picked up. 

Typically, restaging an app will involve a short downtime. The good news is that there are zero downtime plugins for the Cloud Foundry CLI that keep the app available. Moreover, new zero downtime (ZDT) commands are available as early beta and as part of the IBM Cloud CLI for Cloud Foundry.

I tested rotation of credentials for one of my apps with the new v3-zdt-restart command. The process is as follows:

ibmcloud cf unbind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf bind-service MY_APP MY_SERVICE_INSTANCE
ibmcloud cf v3-zdt-restart MY_APP

Summary

Creating service credentials and binding them to IBM Cloud Functions actions or Cloud Foundry apps is needed to build solutions. Rotating the passwords or API keys is best practice to maintain a higher level of security. It just involves a few easy steps and some discipline.

We extended the IBM Cloud solution tutorial on combining serverless and Cloud Foundry for data retrieval and analytics by adding a security section on how to rotate credentials. The GitHub repository for that tutorial, github-traffic-stats, offers scripts to automate the rotation. Try it! 

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Was this article helpful?
YesNo
Henrik Loeser
Technical Offering Manager / Developer Advocate

More from Cloud
July 16, 2024

How a US bank modernized its mainframe applications with IBM Consulting and Microsoft Azure

9 min read - As organizations strive to stay ahead of the curve in today's fast-paced digital landscape, mainframe application modernization has emerged as a critical component of any digital transformation strategy. In this blog, we'll discuss the example of a US bank which embarked on a journey to modernize its mainframe applications. This strategic project has helped it to transform into a more modern, flexible and agile business. In looking at the ways in which it approached the problem, you’ll gain insights into…

July 16, 2024

The power of the mainframe and cloud-native applications 

4 min read - Mainframe modernization refers to the process of transforming legacy mainframe systems, applications and infrastructure to align with modern technology and business standards. This process unlocks the power of mainframe systems, enabling organizations to use their existing investments in mainframe technology and capitalize on the benefits of modernization. By modernizing mainframe systems, organizations can improve agility, increase efficiency, reduce costs, and enhance customer experience.  Mainframe modernization empowers organizations to harness the latest technologies and tools, such as cloud computing, artificial intelligence,…

July 16, 2024

Modernize your mainframe applications with Azure

4 min read - Mainframes continue to play a vital role in many businesses' core operations. According to new research from IBM's Institute for Business Value, a significant 7 out of 10 IT executives believe that mainframe-based applications are crucial to their business and technology strategies. However, the rapid pace of digital transformation is forcing companies to modernize across their IT landscape, and as the pace of innovation continuously accelerates, organizations must react and adapt to these changes or risk being left behind. Mainframe…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters