 |
| Guard credentials in a vault |
Key Protect as vault
There are many benefits to storing credentials in Key Protect. All access is logged and privilege management can be for users, services, roles and by access groups and policies. Therefore, it is possible to grant read privileges really on a need-to-know basis only. Key Protect serves as vault.In the code sample below, a Cloud Function action retrieves the stored key, decodes the base64-encoded string and turns it back into a JSON object. Actions operate in an IAM namespace linked to a service ID. Only that specific service ID needs read privilege to the Key Protect instance. It can be granted through an access group or directly.
The Cloud Function can be used in a sequence, passing on the credentials to the next action to, e.g., call an external API or webhook, access storage or a database in another cloud environment. Of course you can use similar code in a (containerized) app on Cloud Foundry, Kubernetes or OpenShift.
Conclusions
You can use Key Protect as vault by importing credentials as standard key. Then grant users or service IDs (read) privileges on a need-to-know basis by making use of the IBM Cloud IAM capabilities. If you want to read more, look here:- IBM Cloud SQL Query service uses Key Protect as vault. The team blogged about secure credential brokering in analytic jobs on cloud data sources. Details are also in the SQL Query documentation about setting up custom secrets in Key Protect.
- You can use the even more secure Hyper Protect Crypto service in a similar way as described in this blog.
- You can find my older security blog posts using the security label.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.