IBM Cloud Functions - Securing API keys & Passwords inside Functions / node.js

Question

I got some Node.js code in an IBM Cloud Function. I have enabled it as a web action and the function is called via webhook from Watson Assistant.

Is it safe to have my API keys and other passwords inside the IBM Cloud Function as readable text? Or how should I refer to the Keys and passwords?

Here are two excerpts as examples:

function main(params) {
    if (params.actionJoke == 'joke') {
        const optionsDad = {
            method: "GET",
            uri: "https://dad-jokes.p.rapidapi.com/random/joke",
            json: true,
            "resolveWithFullResponse": true,

            "headers": {
                "x-rapidapi-host": "dad-jokes.p.rapidapi.com",
                "x-rapidapi-key": "myapiCODEgoesHERE",
                "useQueryString": true
            }

With this first example, I was able to use params.apiKey instead of the literal key. And I defined the Parameter in the left menu 'parameters'. But I don't know if this is better or worse in terms of security?

However, for my second example, this method doesn't work. Or at least I don't know how to do it semantically correctly.

let smtpConfig = {
    host: 'mail.myz.net',
    port: 122,
    secure: false, // use TLS
    auth: {
        user: 'mymail@xyz.com', 
        pass: 'mypassword'
    }

Neither of those options is great; you should theoretically be able to check your code into a version control system without fear of leaking secrets. Also you should be able to change your secrets without touching the code. They should offer a way to set node _environment variables_ and then you can access them with `process.env.ENVIRONMENT_VARIABLE_NAME`. — Nick, Jan 25 '21 at 02:29
@Nick thank you! Maybe someone who knows IBM cloud functions better can help me with some documentation or recources especially for this platform - I guess there needs to be a good method. Or do you know any link that could help me to set up version control for cloud fn? — Warkus, Jan 25 '21 at 03:49

score 1 · Accepted Answer · answered Jan 25 '21 at 06:38

1

The way to work with secrets is to bind them to actions or packages. You can bind services to the functions or arbitrary credentials.

I recommend my blog on enhancing security by rotating service credentials which has a section on Cloud Functions using the __bx_creds environment object.

See this file from a tutorial how the credentials are accessed in the action from the environment.

answered Jan 25 '21 at 06:38

data_henrik

16,724
2
28
49

Thank you Henrik, will have to work through the docs – Warkus Jan 25 '21 at 17:55

IBM Cloud Functions - Securing API keys & Passwords inside Functions / node.js

1 Answers1