Broker credential handling
This page is primarily for auditors who need to understand how the cloud.gov brokers, and related components, handle credentials so that they aren’t stored or transmitted in the clear. All calls between entities are made over HTTPS, unless otherwise specified. The cloud.gov brokers follow the Open Server Broker API standards, as specified in the Cloud Foundry Service Broker interface.
This is specific to the operation of the AWS Server Broker. Other brokers will document their handling with their source code, as follows:
Broker environment variables
There are important environment variables that should be overriden inside the
Note: All environment variables prefixed with
DB_refer to attributes for the database the broker itself will use for internal uses.
DB_URL: The hostname / IP address of the database.
DB_PORT: The port number to access the database.
DB_NAME: The database name.
DB_USER: Username to access the database.
DB_PASS: Password to access the database.
DB_TYPE: The type of database. Currently supported types:
DB_SSLMODE: The type of SSL Mode to use when connecting to the database. Supported modes:
AWS_ACCESS_KEY_ID: The id credential (treat like a password) with access to make requests to the Amazon RDS .
AWS_SECRET_ACCESS_KEY: The secret key (treat like a password) credential to access Amazon RDS.
AWS_DEFAULT_REGION: Region you wish to provision services in.
AUTH_USER: The username used by cf to authenticate to the broker
AUTH_PASS: The password used by cf to authenticate to the broker
ENC_KEY: This is an string that must be 16, 24, or 32 bytes long. It is an AES key that is used to encrypt the password.
The broker is deployed by Concourse CI onto CloudFoundry, using a manifest that is built by the cloud.gov secrets management system to specify the environment variables. When the app is deployed, Concourse registers the broker, specifying the AUTH_USER and AUTH_PASS.
The CF Cloud Controller stores the configuration for the app, including these environment variables, in an encrypted database table on the CCDB, as described in Cloud Foundry security concepts. The
aws-broker app does not write these to static storage since Cloud Foundry makes them available as environment variables.
Provision a new instance
When an authenticated, authorized CloudFoundry user runs
cf create-service aws-rds _plan_name_ _service_name_, the CloudFoundry platform uses the OSBAPI (open-service broker API) (https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md) to call the registered broker with a
/v2/service_instances/:instance_id where instance_id is a GUID. The request uses BASIC AUTH, e,g.:
curl -X PUT https://username:password@aws-broker..../v2/service_instances/:instance_id
The broker expects the
AUTH_USER as specified in the environment, which the Platform has provided (see above)
The response indicates if the provisioning request has been accepted.
Broker to AWS to provision an instance
The broker application calls the AWS API with the AWS Access Key and Secret Key, which were provided as environment variables at instantiation.
When the provisioning is complete, the broker takes the following actions:
- For RDS and Redis, it creates a username/password in the AWS service, and stores the credentials in the broker database
- For AWS Elasticsearch, it creates an IAM user with privileges to the new instance, then stores the credentials in the broker database
Storing credentials in the broker database
The broker uses a dedicated AWS RDS PostgreSQL database. The RDS instance data are encrypted at rest using AWS storage encryption. The communication between the broker and the database is over postgres StartTLS with TLS 1.2 enabled.
The broker is instantiated with encryption key,
ENC_KEY, and all credentials are written to the database encrypted with that key and a random salt, as in the
setPassword function of each _service_instance.go file, e.g.: https://github.com/cloud-gov/aws-broker/blob/20f70bb/services/redis/redisinstance.go#L50
Providing credentials to CloudFoundry applications
The CloudFoundry applications have access to the credentials only if the user
binds an app to a service instance, as specified at https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#binding of the OSBAPI standard. The credentials are fetched from the service broker and are stored in the environment of the application container, and not written the static storage. If the application instance is re-instantiated, the platform fetches the credentials for the application container from the broker.