Secrets Store

Page last updated:


Secrets Store is a marketplace service and allows for developers to store credentials in JSON format securely that applications can use. In comparison to providing credentials with environment variables (e.g. with cf set-env), credentials stored in Secrets Store are not visible as environment variables reducing the exposure of sensitive information.

Integrating the Service With Your App

For each secret, a service instance has to be created where the secret must be passed as a parameter:

$ cf cs secrets-store json my-secure-json-value -c '{"password": "pass"}'

Creating service my-secure-json-value in org console / space development as

After the creation and the binding of the service to the application, the environment variable VCAP_SERVICES is created. Information about the credentials are stored in this variable as shown here:

  "secrets-store": [
    "credentials": {
     "credhub-ref": "/swisscom-service-broker/credhub/d8cea96f-beed-4e7e-b757-593ca84628e4/credentials"
    "instance_name": "creds",
    "label": "secrets-store",
    "name": "creds",
    "plan": "basic",
    "tags": []

A "credhub-ref" will be visible in cf env and the container environment variables, but can only be interpolated by the application.

As you would with any other VCAP_SERVICES, you can read the "credentials" key to retrieve your credentials.

Sample Application

Swisscom: Secrets Store Example

View the source for this page in GitHub