Blast from the past: Procfile for Python cloud apps

One of my first cloud apps

Recently, I tried out a feature of IBM Cloud Code Engine: Deploying my app directly from source code. It was a simple app, but it failed. I was stunned and investigated the problem. To my surprise, I could have known it because it was something from the past: A Procfile was needed.

From Bluemix to IBM Cloud, from Cloud Foundry to Code Engine

"Bring Your Own Community"

About seven years ago, I started to work with, then blog about Bluemix and Cloud Foundry. Not my first, but one of the first posts is titled "Some fun with Bluemix, Cloud Foundry, Python, JSON and the Weather". Reading that article again I feel nostalgic and it brings back memories of how I learned to deploy my apps to Cloud Foundry. And how I had fun with new cloud technologies.

Key Protect as vault for multi-cloud setup

Guard credentials in a vault

In my previous blog post, I showed how you can easily encode and upload credentials to IBM Cloud Key Protect. Today, I am going to share sample code with you for retrieving the credentials and turning them back into a JSON object. A common use case is a multi-cloud environment where you need to store credentials for an external service. Basically, you are using Key Protect as vault. An example could be the key ID and secret to access the AWS S3 storage for importing data into IBM Cloud.

Encode credentials and upload to Key Protect

Protect credentials in Key Protect

If you followed my blog or have used IBM Cloud, then you know that Key Protect (and Hyper Protect Crypto Services) is the solution to manage encryption keys on IBM Cloud. Did you know that you can import your own keys? And did you know that "key" can be (almost) anything? Today, I am going to show you how to manage a set of JSON-based credentials with Key Protect.

Use an API KEY or ACCESS TOKEN to connect to Db2 on IBM Cloud

In the past, I have blogged about how to access a Db2 database on IBM Cloud from your local machine. I cataloged the cloud host and its database. Then, connected to it using the command line processor (CLP) by passing a username and password. Last year, I was delighted to read that Db2 on Cloud and Db2 Warehouse on Cloud now support authentication by either IBMid, API key, or access token. It is called IAM (Identity and Access Management) support. Finally, I had some time to actually use it. Here is what steps I needed to connect from my local machine to Db2 on IBM Cloud using either API key or token.

Updated: Cloud App Security - an introduction

IBM Cloud offers security services

Two years back, I had created two blog articles providing an introduction to cloud app security with an overview of topics, then discussing details on how to implement those security requirements with (then) Bluemix services. Recently, I had some time to update look into cloud app security again, adapt my previous write-up to the current state of (now) IBM Cloud. You can read it on the IBM Cloud blog as "Cloud App Security: What Makes a Secure App?".

Happy reading! If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Track API key usage by combining IBM Cloud IAM and LogDNA search

Which key is still in use...?

Recently, I blogged about tracking account activity from the command line. I showed you how to search IBM Cloud Activity Tracker with LogDNA records using a Python script. Today, I discuss how to combine the IAM Identity Services API with the LogDNA search to track usage of API keys. The goal is to find out whether API keys for a user or service ID were recently used. If they were not used for long, they might be up for deletion.

Offboarding on IBM Cloud: Considerations when removing a user

Only authorized persons have access

Over my past blog posts I have looked into how to rotate credentials in different compute environments. I looked at Cloud Foundry on IBM Cloud, Cloud Functions and Kubernetes. The background is that I wanted to understand what it takes to maintain security during the regular DevSecOps cycles and when someone in the team leaves. The latter often is called offboarding.

Get some REST with Db2

Db2 has a REST API

Many of the IBM Cloud services have a REST API, an overview of REST APIs is here in the IBM Cloud docs. Recently, I realized that I had not yet tried the Db2 on Cloud API and the API for Db2 Warehouse on Cloud. Thus, last Friday I took some time to test out some code using one of my Db2 instances on IBM Cloud. Here is what you need to get started....

Track it from the command line: Search audit events in LogDNA using Python

Take a look at security logs

Earlier this year, IBM and LogDNA announced an integrated offering Activity Tracker with LogDNA. It allows to manage and search activity events in LogDNA instances on IBM Cloud. There are IAM, account management and all kinds of service instance events that can be tracked. Viewing the events is typically done in the LogDNA UI. I, however, want to perform searches on the command line and integrate it with Cloud Functions. In this article, I discuss the small tool that I wrote the search the activity logs and export them.

Use a Delivery Pipeline to rotate credentials

Job in Delivery Pipeline to rotate keys

In my recent posts I touched on updating credentials for solutions deployed on IBM Cloud Functions or using Cloud Foundry on IBM Cloud. Today, I am showing you how to rotate API keys and passwords for a containerized solution on IBM Kubernetes Service that makes use of a delivery pipeline (devops). I am going to use the app discussed in the tutorial on how to apply end to end security to a cloud application.

Rotate service credentials for Cloud Foundry apps on IBM Cloud

Keep your cloud environment secure

A popular PaaS (Platform as a service) technology is Cloud Foundry. On IBM Cloud, it is available both as public Cloud Foundry instances in multiple regions as well as Cloud Foundry Enterprise Environment (CFEE). Using Cloud Foundry for app development and production has many benefits. Personally, I like the ease of use and how services can be integrated with apps. When you search for my older Bluemix-related blog entries, you will notice that I had (and still have) fun using Cloud Foundry, including my attempts to catch a chocolate thief or testing the hybrid world early on. Similar to my recent blog on rotating credentials when working with IBM Cloud Functions, today, I want to discuss how to bind services and rotate their credentials in a Cloud Foundry environment.

Rotating service credentials for IBM Cloud Functions

Keep your service keys secret

If you have followed some of my work, you know that I use IBM Cloud Functions, i.e., a serverless approach, for many projects. The tutorials with a database-driven (Db2-backed) Slackbot and the GitHub traffic analytics are such examples. In this blog post, I want to detail some of the security-related aspects. This includes how to share service credentials (think of a database username and password) with a cloud function and how to rotate the credentials.

IBM Cloud: The 5 minute barebone news chatbot

News chatbot with Watson Assistant

Do you have 5 minutes and want to build a really simple news chatbot? I tried this yesterday with IBM Cloud and the Watson Assistant and Discovery services. The result is on GitHub in my repository watson-chatbot-discovery-news. It utilizes my Watson Conversation Tool as user interface and for testing. Here are the details.

IBM Watson Assistant: Chatbot tool now supports testing client actions

Test your chatbot

Are you (already) using the Watson Conversation Tool I wrote? There is good news because I added support for testing client side actions. As you might know, IBM Watson Assistant features both client and server side actions to enhance responses with data from external services. In a blog post from this Summer, I wrote that I added support for testing server side actions. They are implemented using IBM Cloud Functions. Client actions are, well, executed on the application side. Read on to learn how to test them.

BYOK to encrypt Kubernetes secrets on IBM Cloud

Add Key Protect

Few days ago, it was announced that IBM Cloud Key Protect integrates with the Kubernetes Service. It means that cluster secrets such as service credentials, TLS certificate information and other confidential information can be encrypted using a managed root key. That root key is either generated or can be imported (bring your own key, BYOK). What needs to be done to wrap this additional layer of security around your cluster? Read on.

Tutorial on how to apply end to end security to a cloud application

Before you head out to the weekend I wanted to point you to a new cloud security tutorial. If you read this at the beginning of your week: What a great start... ;-)

Did you ever wonder how different security services work together to secure a cloud application? In the new tutorial we use

• IBM Cloud Activity Tracker to log all security-related events. This includes logging in to the account, provisioning or deleting services, working with encryption keys and more.
• IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelope encryption of stored files. You could also import your own root key (bring your own key, BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
• IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time, so that the file cannot be accessed thereafter.
• IBM Cloud App ID as a wrapper around (enterprise and social) Identity Providers to manage authentication and authorization through a single interface. The App ID service can be directly integrated with Kubernetes Ingress.
• IBM Cloud Container Registry as a private image registry from which we deploy the application as container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.

Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Extended: Manage and interact with Watson Assistant from the command line

Remember my blog posts about how to manage Watson Assistant from the command line and how to test context for a conversation? Well, that tool did not work well for server actions which I used in this tutorial on building database-driven Slackbot. The good news is that I found time to extend my command line Watson Conversation Tool to support credentials for IBM Cloud Functions.

With the recent update to the tool there are two new features:

1. Use the option "-outputonly" with the "-dialog" option to only print the output text, not the entire JSON response object. I introduced it to be able to demo dialog flows from the command line. Not everybody needs all the metadata for every dialog turn. Here is how it looks like when in action:



Chatbot dialog on the command line

2. In order to test dialog server actions, I need to provide the credentials for IBM Cloud Functions (ICF) in a private context variable. I recently blogged about how to enable the Watson botkit middleware for those server actions. For my tool, just provide the ICF key token as part of the configuration file. A sample is part of the GitHub repository.

For feature requests, defects or suggestions, open an issue or a pull request against the repository. If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Learn about chatbots at upcoming IBM Cloud Meetup

Learn how to chat at the Meetup

Want to quickly and easily build a chatbot, integrate it with Slack, Facebook Messenger or other platforms? Connect the bot with a database? Join me at the IBM Cloud Developers in Stuttgart Meetup on July 17th for an introduction, hands-on session and discussion. And there are drinks, too (I have been promised).

If you followed my blog and the chatbot-related posts, you probably already know what to expect. First, I am going to introduce you to chat / conversation services and the standard terms. Then, we jointly will take a look at the IBM Cloud solution tutorials and the chatbot-related resources. I plan to finish with a demo showing how to build a chatbot from scratch in few minutes and to integrate it into Slack. If you are close to Stuttgart, join me on July 17th for the chatbot session.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Enable Botkit Middleware for Watson Assistant for serverless actions

Slack chatbot with Watson Assistant

Last week I blogged about using Botkit Middleware to create a Watson-powered database interface. I pointed to a tutorial demonstrating a Slack chatbot for a SQL database (Db2). I described that it is relatively simple to replace the Conversation connector with Botkit Middleware. Today, I want to point you to some code I wrote to enable the server-side (serverless) actions in Watson Assistant.