Manage environment variables and secrets

In this Topic you will learn how to handle environment variables and secrets in your Cloud Foundry Space. Environment Variables are the way on which you and the Platform can communicate with your application. Cloud Foundry or you can set environment variables that are then read by the application in the staging process and can therefore be used within the application.

Do you just want to try out the STACKIT Cloud Foundry for a first time, without having your actual cloud ready application prepared yet?

Then you can just use one of the sample applications the Cloud Foundry Open Source Community created for demo use cases, which you can find in their GitHub repository.

Read environment variables via CF CLI

Once you are logged in to your space with the CF CLI, you can easily read out the environment variables of your application via the command:

cf env

This command will then output all the environment variables that consist out of the 3 following types:

• VCAP_APPLICATION - a list of system set environment variables around your application
• VCAP_SERVICES - a list of system set environment variables around your bound dataservices
• user-provided variables set by users in at least the space-developer role

Additionally there might be some platform-specific Environment Variables set by the STACKIT Cloud Foundry Platform Operators in so called environment variable groups. You can learn more about system variables in Cloud Foundry’s official documentation.

The VCAP_SERVICES include the connection credentials to your Dataservices once they are bound to your space.

Set and unset environment variables via CF CLI

Once you are logged in to your space with the CF CLI, you can easily set environment variables of your application via the command:

cf set-env <APP_NAME> <ENV_VAR_NAME> <ENV_VAR_VALUE>

You must name variables with alphanumeric characters and underscores. Non-conforming variable names may cause unpredictable behavior.

After setting new environment variables you have to restage your application in order for it to read out the new variables. You can simply restage your application with:

cf restage <APP_NAME>

You can unset your environment variables again with the following command:

cf unset-env <APP_NAME> <ENV_VAR_NAME> <ENV_VAR_VALUE>

Afterwards you have to restage your application again.

Set environment variables via the manifest-file

You can also set environment variables via the manifest-file when pushing your application to the Cloud Foundry.

Just add it to to an env-Block in the manifest.yml, like in the following example:

---
  ...
  env:
  RAILS_ENV: production
  RACK_ENV: production

You must name variables with alphanumeric characters and underscores. Non-conforming variable names may cause unpredictable behavior.

Secrets

The Cloud Foundry stores the configuration for an app in an encrypted database table. This configuration data includes user-specified environment variables and service credentials for any services bound to the app.

All apps are running inside a secure container. For more information, see the Cloud Foundry documentation about container security.

So your environment variables are secured. This secure state of all of your environment variables is also the reason, why Cloud Foundry stores the connection credentials to your bound dataservices in those environment variables aswell.

Nevertheless you have to keep in mind, that all environment variables can be read by everyone with at least the space-developer role in your org and space. For truely critical secrets it might be feasable to create a secret-storage like the Hashicorp Vault as a user provided Service.