Broker credential handling
This page is primarily for auditors who need to understand how the cloud.gov brokers, and related components, handle credentials so that they aren’t stored or transmitted in the clear. All calls between entities are made over HTTPS, unless otherwise specified. The cloud.gov brokers follow the Open Server Broker API standards, as specified in the Cloud Foundry Service Broker interface.
This is specific to the operation of the AWS Server Broker. Other brokers will document their handling with their source code, as follows:
Broker environment variables
There are important environment variables that should be overriden inside the manifest.yml
file
Note: All environment variables prefixed with
DB_
refer to attributes for the database the broker itself will use for internal uses.
DB_URL
: The hostname / IP address of the database.DB_PORT
: The port number to access the database.DB_NAME
: The database name.DB_USER
: Username to access the database.DB_PASS
: Password to access the database.DB_TYPE
: The type of database. Currently supported types:postgres
andsqlite3
.DB_SSLMODE
: The type of SSL Mode to use when connecting to the database. Supported modes:disabled
,require
andverify-ca
.AWS_ACCESS_KEY_ID
: The id credential (treat like a password) with access to make requests to the Amazon RDS .AWS_SECRET_ACCESS_KEY
: The secret key (treat like a password) credential to access Amazon RDS.AWS_DEFAULT_REGION
: Region you wish to provision services in.AUTH_USER
: The username used by cf to authenticate to the brokerAUTH_PASS
: The password used by cf to authenticate to the brokerENC_KEY
: This is an string that must be 16, 24, or 32 bytes long. It is an AES key that is used to encrypt the password.
Instantiation
The broker is deployed by Concourse CI onto CloudFoundry, using a manifest that is built by the cloud.gov secrets management system to specify the environment variables. When the app is deployed, Concourse registers the broker, specifying the AUTH_USER and AUTH_PASS.
The CF Cloud Controller stores the configuration for the app, including these environment variables, in an encrypted database table on the CCDB, as described in Cloud Foundry security concepts. The aws-broker
app does not write these to static storage since Cloud Foundry makes them available as environment variables.
Provision a new instance
When an authenticated, authorized CloudFoundry user runs cf create-service aws-rds _plan_name_ _service_name_
, the CloudFoundry platform uses the OSBAPI (open-service broker API) (https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md) to call the registered broker with a PUT
request, /v2/service_instances/:instance_id
where instance_id is a GUID. The request uses BASIC AUTH, e,g.:
curl -X PUT https://username:password@aws-broker..../v2/service_instances/:instance_id
The broker expects the AUTH_PASS
and AUTH_USER
as specified in the environment, which the Platform has provided (see above)
The response indicates if the provisioning request has been accepted.
Broker to AWS to provision an instance
The broker application calls the AWS API with the AWS Access Key and Secret Key, which were provided as environment variables at instantiation.
When the provisioning is complete, the broker takes the following actions:
- For RDS and Redis, it creates a username/password in the AWS service, and stores the credentials in the broker database
- For AWS Elasticsearch, it creates an IAM user with privileges to the new instance, then stores the credentials in the broker database
Storing credentials in the broker database
The broker uses a dedicated AWS RDS PostgreSQL database. The RDS instance data are encrypted at rest using AWS storage encryption. The communication between the broker and the database is over postgres StartTLS with TLS 1.2 enabled.
The broker is instantiated with encryption key, ENC_KEY
, and all credentials are written to the database encrypted with that key and a random salt, as in the setPassword
function of each _service_instance.go file, e.g.: https://github.com/cloud-gov/aws-broker/blob/20f70bb/services/redis/redisinstance.go#L50
Providing credentials to CloudFoundry applications
The CloudFoundry applications have access to the credentials only if the user binds
an app to a service instance, as specified at https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#binding of the OSBAPI standard. The credentials are fetched from the service broker and are stored in the environment of the application container, and not written the static storage. If the application instance is re-instantiated, the platform fetches the credentials for the application container from the broker.