Wednesday, July 17, 2019

Rotating service credentials for IBM Cloud Functions

Keep your service keys secret
If you have followed some of my work, you know that I use IBM Cloud Functions, i.e., a serverless approach, for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function and how to rotate the credentials.

Create and bind credentials

In order for a user or an app to access a service like a database system or a chatbot, a username and password or API keys are needed. In general, they are called service credentials. For many cloud computing technologies, sharing those credentials between services and apps is called binding a service.

Binding services to an IBM Cloud Functions action or package is simple. You create a service key, i.e., credentials, for the service in question. Depending on whether it is a Cloud Foundry or IAM (Identity and Access Management) service, this can be done by either (Cloud Foundry)

ibmcloud cf create-service-key MY_SERVICE_INSTANCE MY_KEY

or (IAM):

ibmcloud resource service-key-create MY_KEY Role --instance-name MY_SERVICE_INSTANCE

I prefer to use a combination of date, service and purpose for the key name. So it could be 20190717_Db2_Blogging if created today of a Db2 service with blog-related tests.
Binding the generated service key to the action or package is done like this:

ibmcloud fn service bind SERVICE_TYPE ACTION_or_PACKAGE_NAME --instance MY_SERVICE_INSTANCE --keyname MY_KEY

Rotating service credentials

Changing the password or credentials should be done on a regular schedule and after certain events like an employee leaving. For the serverless scenario above when using IBM Cloud Functions with IBM Cloud services, the rotation can be one simply by
  1. Generating new service credentials, see the example above.
  2. Binding the new key, e.g., 20191017_Db2_Blogging (3 months from now), to the action or package. See the example above. If the same service instance but a different key is used, then the old service credentials in the binding are replaced. The action or package will use the new credentials.
  3. Once everything works, delete the old service key. This is accomplished either by
    ibmcloud cf delete-service-key MY_SERVICE_INSTANCE MY_KEY
    or by
    ibmcloud resource service-key-delete MY_KEY


Creating service credentials and binding them to IBM Cloud Functions actions is needed to build serverless solutions. Rotating the passwords or API keys is best practice to maintain a higher level of security. It involves few, easy steps and discipline...
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.