Wednesday, April 8, 2020

Key Protect as vault for multi-cloud setup

Guard credentials in a vault
In my previous blog post, I showed how you can easily encode and upload credentials to IBM Cloud Key Protect. Today, I am going to share sample code with you for retrieving the credentials and turning them back into a JSON object. A common use case is a multi-cloud environment where you need to store credentials for an external service. Basically, you are using Key Protect as vault. An example could be the key ID and secret to access the AWS S3 storage for importing data into IBM Cloud.

Key Protect as vault

There are many benefits to storing credentials in Key Protect. All access is logged and privilege management can be for users, services, roles and by access groups and policies. Therefore, it is possible to grant read privileges really on a need-to-know basis only. Key Protect serves as vault.

In the code sample below, a Cloud Function action retrieves the stored key, decodes the base64-encoded string and turns it back into a JSON object. Actions operate in an IAM namespace linked to a service ID. Only that specific service ID needs read privilege to the Key Protect instance. It can be granted through an access group or directly.

The Cloud Function can be used in a sequence, passing on the credentials to the next action to, e.g., call an external API or webhook, access storage or a database in another cloud environment. Of course you can use similar code in a (containerized) app on Cloud Foundry, Kubernetes or OpenShift.


You can use Key Protect as vault by importing credentials as standard key. Then grant users or service IDs (read) privileges on a need-to-know basis by making use of the IBM Cloud IAM capabilities. If you want to read more, look here:

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.