 |
| Protect credentials in Key Protect |
Manage credentials in Key Protect
IBM Cloud Key Protect directly integrates with several cloud services. It is used to, e.g., BYOK (bring your own keys) for data encryption. Moreover, Key Protect can store so-called standard keys - bascially any base64-encoded string. This comes in handy when there is need to keep credentials in a vault. An example could be for an external service in a multi-cloud environment.The benefits of using Key Protect as such a vault are that privileges to access it can be managed with fine granularity and the power of IBM Cloud IAM. Any access is logged and tracked in Activity Tracker with LogDNA. Thus, it can be easily audited.
Encode and upload credentials
The credentials to manage can be imported into Key Protect as so-called standard keys. They must be base64-encoded. Given some credentials as a JSON object, it is a straight-forward process. I wrote the following bash script to demonstrate the steps:The script makes use of the IBM Cloud CLI with the plugin for Key Protect as well as the standard "base64" command. In this sample, some environment variables are read to fill the JSON structure and to identify the Key Protect instance.
Once executed, the script returns as JSON output the metadata for the newly created key. Its key ID can be used to later retrieve the credentials again (wait for an upcoming blog post :).
 |
| Sample output with key ID and CRN |
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.