-4

Below is the GO code used from client library to connect to Cloud foundry.

c := &cfclient.Config{
    ApiAddress: "https://x.y.z.cloud",
    Username:     "admin",
    Password:     "admin",
}

client, _ := cfclient.NewClient(c)

This source code becomes vulnerable due to readable password, going in source control.

Currently the app using above code, is running outside Cloud foundry(PAAS).

AWS cloud(IAAS) introduced the concept called roles that allow access without credentials.

What is the best practice to avoid visible password in source code? Does CredHub credential configuration help client library connect in secure way?

overexchange
  • 15,768
  • 30
  • 152
  • 347
  • The business case of CredHub is exactly the problem you are facing in combination with PCF. You should definitely look into how to use/implement CredHub. – KeukenkastjeXYZ Apr 22 '19 at 19:20

1 Answers1

5

That's sample code in a README file, not the source code of a service. You could replace the hardcoded password with code to read an environment variable or command-line argument.

Lenny T
  • 399
  • 2
  • 6
  • Cloudfoundry platform manager is not ready to share the password. For example, in another scenario, Jenkins talks to cloud foundry using credential id of jenkins – overexchange Apr 23 '19 at 00:02
  • Most people are going to share creds through a service instance, maybe a user provided service, or environment variables (service info is just VCAP_SERVICES). It's quick, easy, doesn't require creds to be in source control and is reasonably secure. CredHub offers some advanced capabilities for storing passwords, which keeps your creds out of Cloud Controller. You'll still end up getting your creds from environment variables, so it's still easy, and the only place your creds reside is in CredHub. Just keep in mind this adds a dependency on CredHub, so if that goes down your app won't start. – Daniel Mikusa Apr 23 '19 at 12:31
  • 1
    For those needing the utmost security, apps could pull creds directly from CredHub API. This would remove creds from environment variables, but comes with the added overhead of your app needing to understand how to talk with CredHub. What you end up doing, all depends on the security needs of your app. – Daniel Mikusa Apr 23 '19 at 12:35
  • @DanielMikusa Is this the API to talk to CredHub service? https://github.com/cloudfoundry-community/go-credhub – overexchange Apr 23 '19 at 15:17
  • The CredHub API is here -> https://credhub-api.cfapps.io/version/2.3/. You're referencing a golang library for consuming that API. – Daniel Mikusa Apr 24 '19 at 12:17