Skip to main content
U.S. flag

An official website of the United States government

Broker credential handling

This page is primarily for auditors who need to understand how the cloud.gov brokers, and related components, handle credentials so that they aren’t stored or transmitted in the clear. All calls between entities are made over HTTPS, unless otherwise specified. The cloud.gov brokers follow the Open Server Broker API standards, as specified in the Cloud Foundry Service Broker interface.

This is specific to the operation of the AWS Server Broker. Other brokers will document their handling with their source code, as follows:

Service NameBroker source code
aws-rds https://github.com/cloud-gov/aws-broker
cdn-route https://github.com/cloud-gov/cf-cdn-service-broker
external-domain-service https://github.com/cloud-gov/external-domain-broker
cloud-gov-identity-provider https://github.com/cloudfoundry-community/uaa-credentials-broker
cloud-gov-service-account https://github.com/cloudfoundry-community/uaa-credentials-broker
custom-domains https://github.com/cloud-gov/cf-domain-broker-alb
elasticsearch56 https://github.com/cloud-gov/kubernetes-broker
redis https://github.com/cloud-gov/kubernetes-broker
s3 https://github.com/cloudfoundry-community/s3-broker

Broker environment variables

There are important environment variables that should be overriden inside the manifest.yml file

Note: All environment variables prefixed with DB_ refer to attributes for the database the broker itself will use for internal uses.

  1. DB_URL: The hostname / IP address of the database.
  2. DB_PORT: The port number to access the database.
  3. DB_NAME: The database name.
  4. DB_USER: Username to access the database.
  5. DB_PASS: Password to access the database.
  6. DB_TYPE: The type of database. Currently supported types: postgres and sqlite3.
  7. DB_SSLMODE: The type of SSL Mode to use when connecting to the database. Supported modes: disabled, require and verify-ca.
  8. AWS_ACCESS_KEY_ID: The id credential (treat like a password) with access to make requests to the Amazon RDS .
  9. AWS_SECRET_ACCESS_KEY: The secret key (treat like a password) credential to access Amazon RDS.
  10. AWS_DEFAULT_REGION: Region you wish to provision services in.
  11. AUTH_USER: The username used by cf to authenticate to the broker
  12. AUTH_PASS: The password used by cf to authenticate to the broker
  13. ENC_KEY: This is an string that must be 16, 24, or 32 bytes long. It is an AES key that is used to encrypt the password.

Instantiation

The broker is deployed by Concourse CI onto CloudFoundry, using a manifest that is built by the cloud.gov secrets management system to specify the environment variables. When the app is deployed, Concourse registers the broker, specifying the AUTH_USER and AUTH_PASS.

The CF Cloud Controller stores the configuration for the app, including these environment variables, in an encrypted database table on the CCDB, as described in Cloud Foundry security concepts. The aws-broker app does not write these to static storage since Cloud Foundry makes them available as environment variables.

Provision a new instance

When an authenticated, authorized CloudFoundry user runs cf create-service aws-rds _plan_name_ _service_name_, the CloudFoundry platform uses the OSBAPI (open-service broker API) (https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md) to call the registered broker with a PUT request, /v2/service_instances/:instance_id where instance_id is a GUID. The request uses BASIC AUTH, e,g.:

curl -X PUT https://username:password@aws-broker..../v2/service_instances/:instance_id

The broker expects the AUTH_PASSand AUTH_USER as specified in the environment, which the Platform has provided (see above)

The response indicates if the provisioning request has been accepted.

Broker to AWS to provision an instance

The broker application calls the AWS API with the AWS Access Key and Secret Key, which were provided as environment variables at instantiation.

When the provisioning is complete, the broker takes the following actions:

  • For RDS and Redis, it creates a username/password in the AWS service, and stores the credentials in the broker database
  • For AWS Elasticsearch, it creates an IAM user with privileges to the new instance, then stores the credentials in the broker database

Storing credentials in the broker database

The broker uses a dedicated AWS RDS PostgreSQL database. The RDS instance data are encrypted at rest using AWS storage encryption. The communication between the broker and the database is over postgres StartTLS with TLS 1.2 enabled.

The broker is instantiated with encryption key, ENC_KEY, and all credentials are written to the database encrypted with that key and a random salt, as in the setPassword function of each _service_instance.go file, e.g.: https://github.com/cloud-gov/aws-broker/blob/20f70bb/services/redis/redisinstance.go#L50

Providing credentials to CloudFoundry applications

The CloudFoundry applications have access to the credentials only if the user binds an app to a service instance, as specified at https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#binding of the OSBAPI standard. The credentials are fetched from the service broker and are stored in the environment of the application container, and not written the static storage. If the application instance is re-instantiated, the platform fetches the credentials for the application container from the broker.