Securely manage credentials and other sensitive values during MTA deployment.
When deploying applications, developers often need to specify some sensitive data during deployment, such as passwords, certificates, or credentials to external services, that will later be used during application runtime. The SAP Cloud Deployment service provides a secure mechanism for handling such sensitive data during multitarget application deployment. This eliminates the need to put credentials and secret values in MTA descriptors, which are normally stored in source control repositories or file systems.
The feature is enabled by adding the --require-secure-parameters flag to the cf deploy command. After that, sensitive values (declared as specially-formatted environment variables before the deployment) are:
- Collected by the MultiApps CF CLI plugin and validated
- Transmitted securely to the SAP Cloud Deployment service over HTTPS using a special MTA extension description that is built in memory
- Encrypted for the duration of the deployment using a key stored in a Cloud Foundry user-provided service instance. The service instance is either persisted or deleted afterwards, depending on the chosen approach (see Encryption Key Handling).
- Decrypted only when needed during deployment
- Automatically excluded from all deployment logs and outputs
The feature can be used only with the MultiApps CF CLI plugin and by the services and tools that utilize it, such as SAP Continuous Integration and Delivery. For more information, see Multitarget Application Plugin for Cloud Foundry Command Line Interface.
Avoid using the command-line option
--keep-fileswhile using this feature, in order for file removal to take place after the process is finished.
The key used for encrypting your sensitive data is stored in a Cloud Foundry user-provided service instance located in the current Cloud Foundry space of the customer. You can choose between using a persistent or disposable user-provided service instance approach:
Persistent (default): Uses a user-provided service instance that you create and manage manually. This service instance contains the encryption key and can persist across multiple deployments. You are responsible for creating, updating, and deleting the instance, as well as managing key rotation between deployments. For more information, see Using a Persistent User-Provided Service Instance.
- For each new deployment, we recommend creating a new user-provided service instance or updating the already existing one.
- If key rotation is mandatory, then it must be done between MTA deployments and not during an active MTA deployment. Before changing or deleting the encryption key, ensure that all processes using this key have finished completely.
Using a disposable user-provided service instance is recommended in this case, as it allows automatic key rotation (a new key is generated for each deployment).
Disposable: Uses a user-provided service instance with a randomly generated encryption key that is automatically created at the start of each deployment and deleted when the operation completes. This mode is activated with the --disposable-user-provided-service flag and provides automatic key rotation per deployment. For more information, see Using a Disposable User-Provided Service Instance.
Related Information
Using a Persistent User-Provided Service Instance
Using a Disposable User-Provided Service Instance
Environment Variables and User-Provided Service Instance Specifics