Securing the credentials for a user provided service in bambo.yml

Question

I created a user provided service using below command in bamboo,yml

cf cups my-service -p '{"url":"https://some-url.com","username":"admin","password":"admin"}'

As these credentials are visible in the enviromental variables of the application and may leak somewhere , I changed the above command to use credhub as shown below

cf create-service credhub default my-service -c '{"url":"some-url.com","username":"admin","password":"admin"}'

Here I used credhub and but this command is also placed in the bamboo.yml file , so the credentials are still open to app developers . What can be done differently to secure these credentials and not to put them directly in bamboo.yml ?

Answer 1

There are few options:

1. You can put whatever you want into the properties that you set on a ups i.e. user provided service. It could be plain text or encrypted text. If you put encrypted text, your application will need to understand how to decrypt the text so that it can be used. The platform just passes through the properties that you set on the user provided service.

2. You can use either spring vault or external vault instance with hashicorp service broker https://github.com/hashicorp/cf-vault-service-broker to retrieve/store credentials within your application in a secure way

3. Another option could be to store the configuration in cloud config like Spring Cloud Config but Vault is still be recommended for credentials. You can then run it as a server and provides the configuration to your running applications. It might be overhead though for small project.

Answer 2

Think how would you do it without bamboo.yaml. Maybe you should put credentials to secret variable (if variable has secret or password part at name Bamboo will encrypt it) and then reference it at your command