-
Notifications
You must be signed in to change notification settings - Fork 16
/
secretsstore.html.md.erb
51 lines (36 loc) · 2.46 KB
/
secretsstore.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
title: Secrets Store
owner: Services
---
## <a id='overview'></a> Overview
Secrets Store is a marketplace service and allows for developers to store credentials in JSON format securely that applications can use. In comparison to providing credentials with environment variables (e.g. with cf set-env), credentials stored in Secrets Store are not visible as environment variables reducing the exposure of sensitive information.
## <a id='integrating-your-service'></a> Integrating the Service With Your App
For each secret, a service instance has to be [created](../devguide/services/managing-services.html#create) where the secret must be passed as a parameter:
<pre class="terminal">
$ cf cs secrets-store json my-secure-json-value -c '{"password": "pass"}'
Creating service my-secure-json-value in org console / space development as user@example.com...
OK
</pre>
After the [creation](../devguide/services/managing-services.html#create) and the [binding](../devguide/services/application-binding.html#bind) of the service to the application, the environment variable [VCAP_SERVICES](../devguide/deploy-apps/environment-variable.html#VCAP-SERVICES) is created. Information about the credentials are stored in this variable as shown here:
```json
{
"secrets-store": [
{
"credentials": {
"credhub-ref": "/swisscom-service-broker/credhub/d8cea96f-beed-4e7e-b757-593ca84628e4/credentials"
},
"instance_name": "creds",
"label": "secrets-store",
"name": "creds",
"plan": "basic",
"tags": []
}
]
}
```
A `"credhub-ref"` will be visible in `cf env` and the container environment variables, but can only be interpolated by the application.
As you would with any other [VCAP_SERVICES](../devguide/deploy-apps/environment-variable.html#VCAP-SERVICES), you can read the `"credentials"` key to retrieve your credentials, there is no other action that needs to be done for the application to be able to use your secret.
Note: Only the main process inside the application container will have this reference automatically interpolated into the actual secret values. If you open an SSH session into the container you will also only be able to see the `credhub-ref` instead of the actual values.
Due to security constraints creating a service-key for a secret-store is not possible, only binding the service-instance to an app is allowed.
## <a id='sample-application'></a> Sample Application
Swisscom: [Secrets Store Example](https://github.com/swisscom/secrets-store)