Skip to content

IBM Cloud Code Engine Project Key

Service Name: IBM Cloud Code Engine

Service Description: IBM Cloud Code Engine is a fully managed, serverless platform that runs your containerized workloads, including web apps, microservices, event-driven functions, or batch jobs. Code Engine even builds container images for you from your source code.

Service Address: https://cloud.ibm.com/codeengine/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the IBM Cloud account level using context-based restrictions

Secret Access Scope: Grants programmatic access to IBM Cloud Code Engine projects, allowing management of applications, jobs, builds, and other resources within a specific project.

Secret Revokement URL: https://cloud.ibm.com/iam/apikeys

Secret Example: IBMCLOUDAPIkey-1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t

Suspicious Activity Investigation Instructions:

  • Review IBM Cloud Activity Tracker logs for unusual API calls or resource access
  • Check for unauthorized deployments or modifications to Code Engine projects
  • Monitor for unexpected resource creation or deletion within Code Engine
  • Verify if there are any unusual network egress patterns from Code Engine applications
  • Check for unauthorized access from unexpected IP addresses or locations

Mitigation Instructions:

  • Log in to the IBM Cloud console at https://cloud.ibm.com
  • Navigate to Manage > Access (IAM) > API keys
  • Locate the compromised API key in the list
  • Click the "Actions" menu (three dots) next to the key and select Delete
  • Create a new API key with appropriate access policies
  • Update any applications or services using the old key with the new one
  • Review and adjust IAM policies to enforce the Principle of Least Privilege.
  • Consider implementing context-based restrictions to limit API key usage to specific IP ranges.
  • Enable multi-factor authentication for IBM Cloud account access