Secrets Store

Page last updated:


Secrets Store is a marketplace service and allows for developers to store credentials in JSON format securely that applications can use. In comparison to providing credentials with environment variables (e.g. with cf set-env), credentials stored in Secrets Store are not visible as environment variables reducing the exposure of sensitive information.

Integrating the Service With Your App

For each secret, a service instance has to be created where the secret must be passed as a parameter:

$ cf cs secrets-store json my-secure-json-value -c '{"password": "pass"}'

Creating service my-secure-json-value in org console / space development as

After the creation and the binding of the service to the application, the environment variable VCAP_SERVICES is created. Information about the credentials are stored in this variable as shown here:

  "secrets-store": [
    "credentials": {
     "credhub-ref": "/swisscom-service-broker/credhub/d8cea96f-beed-4e7e-b757-593ca84628e4/credentials"
    "instance_name": "creds",
    "label": "secrets-store",
    "name": "creds",
    "plan": "basic",
    "tags": []

A "credhub-ref" will be visible in cf env and the container environment variables, but can only be interpolated by the application.

As you would with any other VCAP_SERVICES, you can read the "credentials" key to retrieve your credentials, there is no other action that needs to be done for the application to be able to use your secret.

Note: Only the main process inside the application container will have this reference automatically interpolated into the actual secret values. If you open an SSH session into the container you will also only be able to see the credhub-ref instead of the actual values.

Due to security constraints creating a service-key for a secret-store is not possible, only binding the service-instance to an app is allowed.

Sample Application

Swisscom: Secrets Store Example

View the source for this page in GitHub