security - IBM Cloud Functions - Securing API keys & Passwords inside Functions / node.js

Question

I got some Node.js code in an IBM Cloud Function. I have enabled it as a web action and the function is called via webhook from Watson Assistant.

Is it safe to have my API keys and other passwords inside the IBM Cloud Function as readable text? Or how should I refer to the Keys and passwords?

Here are two excerpts as examples:

function main(params) {
    if (params.actionJoke == 'joke') {
        const optionsDad = {
            method: "GET",
            uri: "https://dad-jokes.p.rapidapi.com/random/joke",
            json: true,
            "resolveWithFullResponse": true,

            "headers": {
                "x-rapidapi-host": "dad-jokes.p.rapidapi.com",
                "x-rapidapi-key": "myapiCODEgoesHERE",
                "useQueryString": true
            }

With this first example, I was able to use params.apiKey instead of the literal key. And I defined the Parameter in the left menu 'parameters'. But I don't know if this is better or worse in terms of security?

However, for my second example, this method doesn't work. Or at least I don't know how to do it semantically correctly.

let smtpConfig = {
    host: 'mail.myz.net',
    port: 122,
    secure: false, // use TLS
    auth: {
        user: '[email protected]', 
        pass: 'mypassword'
    }

question from:https://stackoverflow.com/questions/65878187/ibm-cloud-functions-securing-api-keys-passwords-inside-functions-node-js

Answer 1

The way to work with secrets is to bind them to actions or packages. You can bind services to the functions or arbitrary credentials.

I recommend my blog on enhancing security by rotating service credentials which has a section on Cloud Functions using the __bx_creds environment object.

See this file from a tutorial how the credentials are accessed in the action from the environment.