How to use VCAP with a IAM enabled service in IBM Cloud?


this blog is relevant for you, if you use Cloud Foundry applications inside IBM Cloud.

BTW: This topic is related to the content of my last blog.


One of the cool things using Cloud Foundry apps in IBM Cloud is the easy and extremely flexible deployment of those applications. With the usage of VCAP variables you can avoid to edit/touch the code, if you plan to deploy new instances of your Cloud Foundry application and the related services.

This blog will help you to avoid potential pitfalls in the future.

For more information related to VCAP usage, please take a look in the IBM documentation. (

Understand the dependencies

I assume you want to use the VCAPs in your Cloud Foundry app.


If you instantiate an IAM enabled service in IBM Cloud, you have to ensure a Cloud Foundry Service Alias representation is available in your Cloud Foundry space, you want to bind the IAM enabled service. If you ensure this, you can take the advantage of the usage  the VCAP variables in your CF Application.

Ensure you enabled two credential models for your service:  the pure IAM and the Cloud Foundry based (legacy). The enablement of the two models, is available  during the creation of an IAM enabled service instance.

The following image shows the dependencies of the IAM enabled service and the CF Alias. The two red doted lines representing the link from the IAM based service to the CF Alias and the binding from the CF Application to the CF Alias.

As you can see in the picture, you will have later two resources in your IBM dashboard: The IAM enabled service instance itself and the Cloud Foundry Alias.


Note: When you going to delete your IAM enabled service, you should follow this sequence:

  1. Unbind the CF Alias from the CF application
  2. Delete the CF Alias
  3. Delete the IAM enabled service

Short sample with the IBM Cloudant IAM enabled service

Let me tell you the three major steps for: How to create a instantiation of the IAM enabled Cloudant service and bind the service to a Cloud Foundry application?

1. Create the IBM Cloudant IAM enabled service

In the following image you can see the relevant part of the creation dialog for the Cloudant service. During this service creation, you must select Use both legacy credentials and IAM as you can see below.


Note: If this menu is not available, you can use the IBM Cloud command line to create a alias.

ibmcloud resource service-alias-create "{ALIAS_NAME}" --instance-name "{IAM_SERVICE_NAME}" -s "{SPACENAME}"

After the creation of the Cloudant service, you will see only the IAM enabled Cloudant service instance in your IBM Cloud dashboard.


2. Bind the IBM Cloudant service to the Cloud Foundry application

The binding to the Cloudant service, will be established inside the Cloud Foundry application instance. During this process a new CF Alias will be created and you can notice the new CF Alias in your IBM Cloud dashboard.

3. Verify the content in the IBM Cloud dashboard

After you have created the binding to a Cloud Foundry application, you will see following: the service and the alias.



With this alias concept you can easily take advantage from the basic Cloud Foundry functionalities like VCAP, even when your service is IAM enabled.

This blog hopefully will help you to avoid potential pitfalls in the future, you maybe step in and thanks for reading until the last line 😉



PS: By the way, you can use the IBM Cloud for free, if you simply create an IBM Lite account. Here you only need an e-mail address.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at

Up ↑

%d bloggers like this: