diff --git a/heat/db/sqlalchemy/api.py b/heat/db/sqlalchemy/api.py
index 9f53a979b0..e6f106a41c 100644
--- a/heat/db/sqlalchemy/api.py
+++ b/heat/db/sqlalchemy/api.py
@@ -211,11 +211,13 @@ def user_creds_create(values):
 
 
 def user_creds_get(user_creds_id):
-    result = model_query(None, models.UserCreds).get(user_creds_id)
-    result.password = auth.decrypt(result.password)
-    result.service_password = auth.decrypt(result.service_password)
-    result.aws_creds = auth.decrypt(result.aws_creds)
-
+    db_result = model_query(None, models.UserCreds).get(user_creds_id)
+    # Return a dict copy of db results, do not decrypt details into db_result
+    # or it can be committed back to the DB in decrypted form
+    result = dict(db_result)
+    result['password'] = auth.decrypt(result['password'])
+    result['service_password'] = auth.decrypt(result['service_password'])
+    result['aws_creds'] = auth.decrypt(result['aws_creds'])
     return result
 
 
diff --git a/heat/engine/manager.py b/heat/engine/manager.py
index f7da9d9f22..6bc31423e6 100644
--- a/heat/engine/manager.py
+++ b/heat/engine/manager.py
@@ -443,7 +443,7 @@ class EngineManager(manager.Manager):
             if s and s.status in (parser.Stack.CREATE_COMPLETE,
                                   parser.Stack.UPDATE_COMPLETE):
                 user_creds = db_api.user_creds_get(s.user_creds_id)
-                ctxt = ctxtlib.RequestContext.from_dict(dict(user_creds))
+                ctxt = ctxtlib.RequestContext.from_dict(user_creds)
                 stack = parser.Stack.load(ctxt, s.id)
                 for a in wr.rule[watchrule.WatchRule.ACTION_MAP[new_state]]:
                     greenpool.spawn_n(stack[a].alarm)