Protect credentials in Key Protect |
Manage credentials in Key Protect
IBM Cloud Key Protect directly integrates with several cloud services. It is used to, e.g., BYOK (bring your own keys) for data encryption. Moreover, Key Protect can store so-called standard keys - bascially any base64-encoded string. This comes in handy when there is need to keep credentials in a vault. An example could be for an external service in a multi-cloud environment.The benefits of using Key Protect as such a vault are that privileges to access it can be managed with fine granularity and the power of IBM Cloud IAM. Any access is logged and tracked in Activity Tracker with LogDNA. Thus, it can be easily audited.
Encode and upload credentials
The credentials to manage can be imported into Key Protect as so-called standard keys. They must be base64-encoded. Given some credentials as a JSON object, it is a straight-forward process. I wrote the following bash script to demonstrate the steps:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Obtain the necessary credentials from environment, encode them | |
# as base64 JSON and upload them a new key to IBM Cloud Key Protect | |
# | |
# The following software is used: | |
# - base64 | |
# - ibmcloud: IBM Cloud CLI with Key Protect (kp) plugin | |
KEYNAME_CREDS="CREDS_TEST_Henrik" | |
if [ -z "$KEY1_ID" ]; then | |
echo "Credential input: KEY1_ID required" | |
exit | |
fi | |
if [ -z "$KEY1_SECRET" ]; then | |
echo "Credential input: KEY1_SECRET required" | |
exit | |
fi | |
if [ -z "$KP_INST_ID" ]; then | |
echo "Key Protect instance: KP_INST_ID required" | |
exit | |
fi | |
echo "Encoding" | |
# Compose JSON object of credentials | |
creds='{ "KEY1_ID": "'${KEY1_ID}'", "KEY1_SECRET": "'${KEY1_SECRET}'" }' | |
# Base64 encoding | |
encoded=$(base64 -w 0 - <<< ${creds} ) | |
echo "Uploading to Key Protect" | |
# Create a new standard key holding the base64-encoded credentials | |
newKey=$(ibmcloud kp create $KEYNAME_CREDS --standard-key --key-material $encoded -i $KP_INST_ID --output json) | |
# Output of new key JSON metadata. Use jq to parse and postprocess it. | |
echo "$newKey" |
The script makes use of the IBM Cloud CLI with the plugin for Key Protect as well as the standard "base64" command. In this sample, some environment variables are read to fill the JSON structure and to identify the Key Protect instance.
Once executed, the script returns as JSON output the metadata for the newly created key. Its key ID can be used to later retrieve the credentials again (wait for an upcoming blog post :).
Sample output with key ID and CRN |
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.