diff --git a/ansible/roles/controller/tasks/deploy.yml b/ansible/roles/controller/tasks/deploy.yml
index f376052048e..85ea915bb57 100644
--- a/ansible/roles/controller/tasks/deploy.yml
+++ b/ansible/roles/controller/tasks/deploy.yml
@@ -71,18 +71,6 @@
     dest: "{{ controller.confdir }}/{{ controller_name }}/jmxremote.access"
     mode: 0777
 
-- name: copy controller auth username file
-  template:
-    src: "controllerauth.username.j2"
-    dest: "{{ controller.confdir  }}/{{ controller_name }}/controllerauth.username"
-    mode: 0777
-
-- name: copy controller auth password file
-  template:
-    src: "controllerauth.password.j2"
-    dest: "{{ controller.confdir  }}/{{ controller_name }}/controllerauth.password"
-    mode: 0777
-
 - name: "copy kafka truststore/keystore"
   when: kafka.protocol == 'SSL'
   copy:
@@ -215,6 +203,9 @@
       "CONFIG_whisk_db_activationsFilterDdoc": "{{ db_whisk_activations_filter_ddoc | default() }}"
       "CONFIG_whisk_userEvents_enabled": "{{ user_events | default(false) | lower }}"
 
+      "CONFIG_whisk_credentials_controller_username": "{{ controller.username }}"
+      "CONFIG_whisk_credentials_controller_password": "{{ controller.password }}"
+
       "LIMITS_ACTIONS_INVOKES_PERMINUTE": "{{ limits.invocationsPerMinute }}"
       "LIMITS_ACTIONS_INVOKES_CONCURRENT": "{{ limits.concurrentInvocations }}"
       "LIMITS_TRIGGERS_FIRES_PERMINUTE": "{{ limits.firesPerMinute }}"
diff --git a/ansible/roles/invoker/tasks/deploy.yml b/ansible/roles/invoker/tasks/deploy.yml
index c2aa1eab81a..0561722ca23 100644
--- a/ansible/roles/invoker/tasks/deploy.yml
+++ b/ansible/roles/invoker/tasks/deploy.yml
@@ -183,18 +183,6 @@
     dest: "{{ invoker.confdir  }}/{{ invoker_name }}/jmxremote.access"
     mode: 0777
 
-- name: copy invoker auth username file
-  template:
-    src: "invokerauth.username.j2"
-    dest: "{{ invoker.confdir  }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.username"
-    mode: 0777
-
-- name: copy invoker auth password file
-  template:
-    src: "invokerauth.password.j2"
-    dest: "{{ invoker.confdir  }}/invoker{{ groups['invokers'].index(inventory_hostname) }}/invokerauth.password"
-    mode: 0777
-
 - name: add additional jvm params if jmxremote is enabled
   when: jmx.enabled
   set_fact:
@@ -278,6 +266,8 @@
       "CONFIG_whisk_timeLimit_min": "{{ limit_action_time_min | default() }}"
       "CONFIG_whisk_timeLimit_max": "{{ limit_action_time_max | default() }}"
       "CONFIG_whisk_timeLimit_std": "{{ limit_action_time_std | default() }}"
+      "CONFIG_whisk_credentials_invoker_username": "{{ invoker.username }}"
+      "CONFIG_whisk_credentials_invoker_password": "{{ invoker.password }}"
       "CONFIG_whisk_concurrencyLimit_min": "{{ limit_action_concurrency_min | default() }}"
       "CONFIG_whisk_concurrencyLimit_max": "{{ limit_action_concurrency_max | default() }}"
       "CONFIG_whisk_concurrencyLimit_std": "{{ limit_action_concurrency_std | default() }}"
diff --git a/ansible/templates/controllerauth.password.j2 b/ansible/templates/controllerauth.password.j2
deleted file mode 100644
index 46e7f119989..00000000000
--- a/ansible/templates/controllerauth.password.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ controller.password }}
diff --git a/ansible/templates/controllerauth.username.j2 b/ansible/templates/controllerauth.username.j2
deleted file mode 100644
index 7739661801f..00000000000
--- a/ansible/templates/controllerauth.username.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ controller.username }}
diff --git a/ansible/templates/invokerauth.password.j2 b/ansible/templates/invokerauth.password.j2
deleted file mode 100644
index 2d31b481cd3..00000000000
--- a/ansible/templates/invokerauth.password.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ invoker.password }}
diff --git a/ansible/templates/invokerauth.username.j2 b/ansible/templates/invokerauth.username.j2
deleted file mode 100644
index cd915356156..00000000000
--- a/ansible/templates/invokerauth.username.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ invoker.username }}
diff --git a/common/scala/src/main/resources/reference.conf b/common/scala/src/main/resources/reference.conf
index 4cd73f290c0..51779cd31f6 100644
--- a/common/scala/src/main/resources/reference.conf
+++ b/common/scala/src/main/resources/reference.conf
@@ -27,7 +27,7 @@ whisk.spi {
   EntitlementSpiProvider = org.apache.openwhisk.core.entitlement.LocalEntitlementProvider
   AuthenticationDirectiveProvider = org.apache.openwhisk.core.controller.BasicAuthenticationDirective
   InvokerProvider = org.apache.openwhisk.core.invoker.InvokerReactive
-  InvokerServerProvider = org.apache.openwhisk.core.invoker.InvokerServer
+  InvokerServerProvider = org.apache.openwhisk.core.invoker.DefaultInvokerServer
 }
 
 dispatchers {
diff --git a/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala b/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala
new file mode 100644
index 00000000000..ff3abe80bb0
--- /dev/null
+++ b/common/scala/src/main/scala/org/apache/openwhisk/common/ComponentCredentials.scala
@@ -0,0 +1,5 @@
+package org.apache.openwhisk.common
+
+case class ControllerCredentials(username: String, password: String)
+
+case class InvokerCredentials(username: String, password: String)
diff --git a/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala b/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala
index b6fa765b27c..4701f94879a 100644
--- a/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala
+++ b/common/scala/src/main/scala/org/apache/openwhisk/core/WhiskConfig.scala
@@ -265,4 +265,7 @@ object ConfigKeys {
   val swaggerUi = "whisk.swagger-ui"
 
   val apacheClientConfig = "whisk.apache-client"
+
+  val controllerCredentials = "whisk.credentials.controller"
+  val invokerCredentials = "whisk.credentials.invoker"
 }
diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala
index 87d7614ad11..1e4da2a9ac9 100644
--- a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala
+++ b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/Controller.scala
@@ -31,8 +31,15 @@ import pureconfig.generic.auto._
 import spray.json.DefaultJsonProtocol._
 import spray.json._
 import org.apache.openwhisk.common.Https.HttpsConfig
-import org.apache.openwhisk.common.{AkkaLogging, ConfigMXBean, Logging, LoggingMarkers, TransactionId}
-import org.apache.openwhisk.core.WhiskConfig
+import org.apache.openwhisk.common.{
+  AkkaLogging,
+  ConfigMXBean,
+  ControllerCredentials,
+  Logging,
+  LoggingMarkers,
+  TransactionId
+}
+import org.apache.openwhisk.core.{ConfigKeys, WhiskConfig}
 import org.apache.openwhisk.core.connector.MessagingProvider
 import org.apache.openwhisk.core.containerpool.logging.LogStoreProvider
 import org.apache.openwhisk.core.database.{ActivationStoreProvider, CacheChangeNotification, RemoteCacheInvalidation}
@@ -165,16 +172,7 @@ class Controller(val instance: ControllerInstanceId,
     runtimes,
     List(apiV1.basepath()))
 
-  private val controllerUsername = {
-    val source = scala.io.Source.fromFile("/conf/controllerauth.username");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
-  private val controllerPassword = {
-    val source = scala.io.Source.fromFile("/conf/controllerauth.password");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
+  private val controllerCredentials = loadConfigOrThrow[ControllerCredentials](ConfigKeys.controllerCredentials)
 
   /**
    * config runtime
@@ -184,7 +182,7 @@ class Controller(val instance: ControllerInstanceId,
     (path("config" / "runtime") & post) {
       extractCredentials {
         case Some(BasicHttpCredentials(username, password)) =>
-          if (username == controllerUsername && password == controllerPassword) {
+          if (username == controllerCredentials.username && password == controllerCredentials.password) {
             entity(as[String]) { runtime =>
               val execManifest = ExecManifest.initialize(runtime)
               if (execManifest.isFailure) {
diff --git a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala
index 0a4c307e197..d3a439001b1 100644
--- a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala
+++ b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/InvokerServer.scala
@@ -21,38 +21,33 @@ import akka.actor.ActorSystem
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.headers.BasicHttpCredentials
 import akka.http.scaladsl.server.Route
-import org.apache.openwhisk.common.{Logging, TransactionId}
+import org.apache.openwhisk.common.{InvokerCredentials, Logging, TransactionId}
+import org.apache.openwhisk.core.ConfigKeys
 import org.apache.openwhisk.core.containerpool.PrewarmingConfig
 import org.apache.openwhisk.core.entity.{CodeExecAsString, ExecManifest}
 import org.apache.openwhisk.http.BasicRasService
 
+import pureconfig._
+import pureconfig.generic.auto._
+
 import scala.concurrent.ExecutionContext
 
 /**
  * Implements web server to handle certain REST API calls.
  */
-class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
-                                              val actorSystem: ActorSystem,
-                                              val logger: Logging)
+class DefaultInvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
+                                                     val actorSystem: ActorSystem,
+                                                     val logger: Logging)
     extends BasicRasService {
 
-  val invokerUsername = {
-    val source = scala.io.Source.fromFile("/conf/invokerauth.username");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
-  val invokerPassword = {
-    val source = scala.io.Source.fromFile("/conf/invokerauth.password");
-    try source.mkString.replaceAll("\r|\n", "")
-    finally source.close()
-  }
+  private val invokerCredentials = loadConfigOrThrow[InvokerCredentials](ConfigKeys.invokerCredentials)
 
   override def routes(implicit transid: TransactionId): Route = {
     super.routes ~ {
       (path("config" / "runtime") & post) {
         extractCredentials {
           case Some(BasicHttpCredentials(username, password)) =>
-            if (username == invokerUsername && password == invokerPassword) {
+            if (username == invokerCredentials.username && password == invokerCredentials.password) {
               entity(as[String]) { prewarmRuntime =>
                 val execManifest = ExecManifest.initialize(prewarmRuntime)
                 if (execManifest.isFailure) {
@@ -85,5 +80,5 @@ class InvokerServer(val invoker: InvokerCore)(implicit val ec: ExecutionContext,
 object InvokerServer extends InvokerServerProvider {
   override def instance(
     invoker: InvokerCore)(implicit ec: ExecutionContext, actorSystem: ActorSystem, logger: Logging): BasicRasService =
-    new InvokerServer(invoker)
+    new DefaultInvokerServer(invoker)
 }