Customer has questions on the usage of credhub-ref's to read environment variables from application.

cf env <app-name> displays credentials in format of:

credentials": {
        "credhub-ref": "/credhub-service-broker/credhub/c42d58-#############-79d3f/credentials"
      },

Running the command env while SSH'ed into container also displays credentials in credhub-ref format.

So, why can the app code can read the secret directly from VCAP_SERVICES, but we only see a credhub ref in VCAP_SERVICES when SSH'd into the droplet?

Tanzu CredHub Secrets Management service formerly named Credhub Service Broker tile.

Reference: https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/credhub-secrets-management/services/credhub/using.html

Application does not need to make the call to credhub. There is automatic credhub-ref => actual credential substitution done by Diego (the app container infrastructure). This behavior is for security reasons so that variable is not exposed via env or cf-env commands. The environment variables substitution happens during app staging. The actual credential is stored back into the env var while it's loaded into the app. '

Therefore an application leveraging a credhub-ref does not need to directly make a Credhub API call in order to leverage an environment variable.