First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.
Then you set the API to credhub:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation
Setting the target url: https://192.168.50.6:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
First some jq magic to get the UAA URL from the credhub /info api:
Login to credhub should be done with a UAA user, so login with that first (it took me quite some time to find out which user/password to use for uaa admin):
uaac token client get uaa_admin -s $(cat <(bosh int creds.yml --path /uaa_admin_client_secret))
After that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:
You need the second context (uaa_admin), as you can see it has all the scopes you need (clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read).
Now you can also list the current uaa clients:
You can get a token using the credhub-admin user (using the password from creds.yml:credhub_admin_client_secret:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox uaac token client get credhub-admin -s $(bosh int creds.yml --path /credhub_admin_client_secret)
Successfully fetched token via client credentials grant.
Target: https://192.168.50.6:8443
Context: credhub-admin, from client credhub-admin
And we can use the credhub client to login:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub login -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation --client-name credhub-admin --client-secret $(bosh int creds.yml --path /credhub_admin_client_secret)
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://192.168.50.6:8844
Login Successful
Simply use the credhub import command.
It does however complain about ssh-type entries:
Credential '/static/ssh_key' at index 8 could not be set: The request includes an unrecognized parameter 'public_key_fingerprint'. Please update or remove this parameter and retry your request.
We took the gogs boshrelease as a test case.
We uploaded the required stemcell and deployed with bosh -n deploy -d gogs ~/workspace/gogs-boshrelease/manifests/gogs.yml, this gogs.yml file has several secrets in it.
After deploying it simply works, and with the credhub find command, you see that several entries were created:
This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844
Warning: The targeted TLS certificate has not been verified for this connection.
Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
Setting the target url: https://10.253.6.11:8844
credhub#
Table of Contents
What runs op the director (pcf 1.11):
Resources#
Setting up your local BOSH environment#
First create your local BOSH director:
Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k
When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.
Login to credhub#
First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.Then you set the API to credhub:
First some jq magic to get the UAA URL from the credhub /info api:
Login to credhub should be done with a UAA user, so login with that first (it took me quite some time to find out which user/password to use for uaa admin):
After that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:metskem@athena ~/workspace/boshlite/deployments/vbox uaac contexts [0]*[https://192.168.50.6:8443] skip_ssl_validation: true [0] [admin] client_id: admin access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MzMyOWY4Y2JmMjI0YzE3OThhYjVlN2I5MTdjY2QzYyIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYm9zaC5hZG1pbiJdLCJzY29wZSI6WyJib3NoLmFkbWluIl0sImNsaWVudF9pZCI6ImFkbWluIiwiY2lkIjoiYWRtaW4iLCJhenAiOiJhZG1pbiIsInJldm9jYWJsZSI6dHJ1ZSwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI0YmI2OTAwYyIsImlhdCI6MTUzNTk4MDQxNSwiZXhwIjoxNTM2MDIzNjE1LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFkbWluIiwiYm9zaCJdfQ.URHw2xjZrqUFBMFVV4Ap4t4u5QqiMk61krlrIQx4s8klW2PDnEPS0tyl0qwmDOxdU08-C-s-E_GPbgePl8gqFGs6sgXagRmqw2ecnI2LDLu0SvhpKjMPGtCN0Gv38ZhDA_hzbrLouRgZ7SaxctSX4TnQMad_uxG0mq1KgFePy6luVqr32vvepkqMbRDBrNHro30wI_CDjie0vcFNBA9pQF5Z5SmUqzXAUvt2jEzPEc7Hqhwd8gAzOTAzOQYRnDnfMHdf3MP6ZGjPly7xDyRp9Z-QXo6PLItI7KmlO-qluU0JgKFnaznBl5TxTwMMA5o0k7FKXCjewPa--87yO3-A6w token_type: bearer expires_in: 43199 scope: bosh.admin jti: 63329f8cbf224c1798ab5e7b917ccd3c [1]*[uaa_admin] client_id: uaa_admin access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkNjU5NDFhYWM5MTc0MTBkYTE5NzMzODNlNTU2OTU5YiIsInN1YiI6InVhYV9hZG1pbiIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImNsaWVudHMuc2VjcmV0IiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoidWFhX2FkbWluIiwiY2lkIjoidWFhX2FkbWluIiwiYXpwIjoidWFhX2FkbWluIiwicmV2b2NhYmxlIjp0cnVlLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImFhOWIzNmI0IiwiaWF0IjoxNTM1OTgxNDgwLCJleHAiOjE1MzYwMjQ2ODAsImlzcyI6Imh0dHBzOi8vMTkyLjE2OC41MC42Ojg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInVhYV9hZG1pbiIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSJdfQ.KGCXMI0d5QxtfONsA1xPr8gLBFnGxRNrs6v3pLbLIlgW4yDeReWI428MDxKX57rh8acyjV4fLv734PHxt9h8DDgOVe582BYaTzoSKJnuPC5cUiz0lApNYuXXtKwwhS5WeSp0hnpBx26n6ETg5fWAUKS0tNYy-1jfM2jDbRRuubWCxac1iJ5UjXnIhnpefRyIWuymEbyG3aEzTg0MST1SGQA4u4VTKVY-2ElNW3SQ4AAK_TgVNM-pXxoN4BM3Q51lKWf0y7yoLWCilIPMQVyQpQmbTtwzjgmVmOQAe8v6SpivYtMxd5iJLkYGxeQHTV72gOlDS7fpOH4Y2YgMHeIkLQ token_type: bearer expires_in: 43199 scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read jti: d65941aac917410da1973383e556959bYou need the second context (uaa_admin), as you can see it has all the scopes you need (clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read).
Now you can also list the current uaa clients:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac clients admin scope: uaa.none resource_ids: none authorized_grant_types: client_credentials autoapprove: authorities: bosh.admin lastmodified: 1535891189747 bosh_cli scope: openid bosh.admin bosh.read bosh.*.admin bosh.*.read bosh.teams.*.admin bosh.teams.*.read resource_ids: none authorized_grant_types: password refresh_token autoapprove: access_token_validity: 120 refresh_token_validity: 86400 authorities: uaa.none lastmodified: 1535891189819 credhub-admin scope: uaa.none resource_ids: none authorized_grant_types: client_credentials autoapprove: access_token_validity: 3600 authorities: credhub.write credhub.read lastmodified: 1535891189423 credhub_cli scope: credhub.read credhub.write resource_ids: none authorized_grant_types: password refresh_token autoapprove: access_token_validity: 60 refresh_token_validity: 1800 authorities: uaa.none lastmodified: 1535891189596 director_to_credhub scope: uaa.none resource_ids: none authorized_grant_types: client_credentials autoapprove: access_token_validity: 3600 authorities: credhub.write credhub.read lastmodified: 1535891189890 hm scope: uaa.none resource_ids: none authorized_grant_types: client_credentials autoapprove: authorities: bosh.admin lastmodified: 1535891189671 uaa_admin scope: uaa.none resource_ids: none authorized_grant_types: client_credentials autoapprove: authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read lastmodified: 1535891189507 metskem@athena ~/workspace/boshlite/deployments/vboxAnd you can list current uaa users :
metskem@athena ~/workspace/boshlite/deployments/vbox uaac users resources: - id: 867f25b4-4c92-41a9-b6aa-dba4b6d23cac meta version: 0 created: 2018-09-02T12:26:27.295Z lastmodified: 2018-09-02T12:26:27.295Z name familyname: givenname: emails: - value: admin primary: false groups: - value: 9c03792f-013d-4cc3-9220-8c688d809f56 display: uaa.offline_token type: DIRECT - value: bdf0bbb0-5047-4705-a3c2-43590babaaec display: profile type: DIRECT - value: cfba5d5c-fe3d-4948-b2e5-bd33caf914d6 display: user_attributes type: DIRECT - value: 45f765c9-b670-4234-a378-8b2230d6779e display: cloud_controller.write type: DIRECT - value: 8ae1fd7f-e393-4ca6-a727-e267fb1661da display: openid type: DIRECT - value: 1994ff63-8eab-40bc-99c6-3c3f117fd8fd display: notification_preferences.write type: DIRECT - value: bd5c331f-778c-4196-8abf-2d56381c56a5 display: oauth.approvals type: DIRECT - value: 599b2bab-a8d9-4b00-9c69-0082dba892c7 display: bosh.admin type: DIRECT - value: ec253d39-e701-44f8-bd06-7e1a97b449a1 display: password.write type: DIRECT - value: 2da56b99-6188-42a7-be3b-0886741f3a1f display: cloud_controller_service_permissions.read type: DIRECT - value: 6eded82d-f5dd-48e0-8a60-90763d1773ea display: scim.me type: DIRECT - value: a0a90654-9f88-4246-b9c5-93cee5f33dfe display: cloud_controller.read type: DIRECT - value: 24348f57-4ce1-4f76-b5bb-2c716d3bd203 display: roles type: DIRECT - value: cc248fc8-50d6-48a1-a1d4-d7e3dfc65f42 display: approvals.me type: DIRECT - value: db3e1751-bb89-4050-8bce-83e40fcbf86b display: uaa.user type: DIRECT - value: c7f5cd9b-6f3c-4382-a70a-2ca0b171701f display: notification_preferences.read type: DIRECT approvals: active: true verified: true origin: uaa schemas: urn:scim:schemas:core:1.0 username: admin zoneid: uaa passwordlastmodified: 2018-09-02T12:26:27.000Z previouslogontime: 1535956808901 lastlogontime: 1535972766877 schemas: urn:scim:schemas:core:1.0 startindex: 1 itemsperpage: 100 totalresults: 1Also list the groups:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac groups bosh.admin id: 599b2bab-a8d9-4b00-9c69-0082dba892c7 meta version: 1 created: 2018-09-02T12:26:27.335Z lastmodified: 2018-09-02T12:26:30.452Z description: User has admin access on any Director members: - origin: uaa type: USER value: 867f25b4-4c92-41a9-b6aa-dba4b6d23cac schemas: urn:scim:schemas:core:1.0 zoneid: uaa openid id: 8ae1fd7f-e393-4ca6-a727-e267fb1661da meta version: 1 created: 2018-09-02T12:26:27.341Z lastmodified: 2018-09-02T12:26:30.425Z description: Access profile information, i.e. email, first and last name, and phone number members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa password.write id: ec253d39-e701-44f8-bd06-7e1a97b449a1 meta version: 1 created: 2018-09-02T12:26:27.347Z lastmodified: 2018-09-02T12:26:30.443Z description: Change your password members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa uaa.user id: db3e1751-bb89-4050-8bce-83e40fcbf86b meta version: 1 created: 2018-09-02T12:26:27.352Z lastmodified: 2018-09-02T12:26:30.439Z description: Act as a user in the UAA members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa approvals.me id: cc248fc8-50d6-48a1-a1d4-d7e3dfc65f42 meta version: 0 created: 2018-09-02T12:26:27.357Z lastmodified: 2018-09-02T12:26:27.357Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa profile id: bdf0bbb0-5047-4705-a3c2-43590babaaec meta version: 0 created: 2018-09-02T12:26:27.363Z lastmodified: 2018-09-02T12:26:27.363Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa roles id: 24348f57-4ce1-4f76-b5bb-2c716d3bd203 meta version: 0 created: 2018-09-02T12:26:27.367Z lastmodified: 2018-09-02T12:26:27.367Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa user_attributes id: cfba5d5c-fe3d-4948-b2e5-bd33caf914d6 meta version: 0 created: 2018-09-02T12:26:27.370Z lastmodified: 2018-09-02T12:26:27.370Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa uaa.offline_token id: 9c03792f-013d-4cc3-9220-8c688d809f56 meta version: 1 created: 2018-09-02T12:26:27.374Z lastmodified: 2018-09-02T12:26:30.445Z description: Allow offline access members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa bosh.releases.upload id: ce7801fb-5b00-4b11-ad8a-ace788916ef8 meta version: 1 created: 2018-09-02T12:26:30.304Z lastmodified: 2018-09-02T12:26:30.397Z description: User can upload new releases members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa idps.write id: 848fc6e8-61a6-4894-a136-1e0d04e30ff2 meta version: 1 created: 2018-09-02T12:26:30.306Z lastmodified: 2018-09-02T12:26:30.399Z description: Create and update identity providers members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.me id: 6eded82d-f5dd-48e0-8a60-90763d1773ea meta version: 0 created: 2018-09-02T12:26:30.309Z lastmodified: 2018-09-02T12:26:30.309Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.zones id: ccfa8e33-0427-40fa-9815-1cc6aebe2fbf meta version: 1 created: 2018-09-02T12:26:30.312Z lastmodified: 2018-09-02T12:26:30.401Z description: Control a user's ability to manage a zone members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa cloud_controller.admin id: 8f359d15-ac80-4fd0-a253-aafd9c2e0bf5 meta version: 0 created: 2018-09-02T12:26:30.315Z lastmodified: 2018-09-02T12:26:30.315Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa bosh.stemcells.upload id: 5da65374-9578-46aa-8193-1499e30e0a1e meta version: 1 created: 2018-09-02T12:26:30.318Z lastmodified: 2018-09-02T12:26:30.403Z description: User can upload new stemcells members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa oauth.approval id: fbf0a312-9dfb-45ba-a91e-ef7a06364bf5 meta version: 1 created: 2018-09-02T12:26:30.320Z lastmodified: 2018-09-02T12:26:30.405Z description: Manage approved scopes members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa cloud_controller.write id: 45f765c9-b670-4234-a378-8b2230d6779e meta version: 1 created: 2018-09-02T12:26:30.323Z lastmodified: 2018-09-02T12:26:30.407Z description: Push applications to your account and create and bind services members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa cloud_controller_service_permissions.read id: 2da56b99-6188-42a7-be3b-0886741f3a1f meta version: 1 created: 2018-09-02T12:26:30.325Z lastmodified: 2018-09-02T12:26:30.408Z description: Verify user permission to manage service instances members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa bosh.read id: c0770ea1-90d7-4f40-937f-408210750942 meta version: 1 created: 2018-09-02T12:26:30.327Z lastmodified: 2018-09-02T12:26:30.410Z description: User has read access on any Director members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa oauth.approvals id: bd5c331f-778c-4196-8abf-2d56381c56a5 meta version: 0 created: 2018-09-02T12:26:30.331Z lastmodified: 2018-09-02T12:26:30.331Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa uaa.none id: ee5ced29-82c8-49c4-aef9-c6437b1dad63 meta version: 1 created: 2018-09-02T12:26:30.334Z lastmodified: 2018-09-02T12:26:30.411Z description: Forbid acting as a user members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa idps.read id: d694cd45-5aef-478f-a3d4-2ea79585a66c meta version: 1 created: 2018-09-02T12:26:30.337Z lastmodified: 2018-09-02T12:26:30.414Z description: Retrieve identity providers members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa clients.read id: 171aeb8c-94ec-4900-9992-f6b60eaeca95 meta version: 1 created: 2018-09-02T12:26:30.340Z lastmodified: 2018-09-02T12:26:30.416Z description: Read information about OAuth clients members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa zones.read id: 961d07c3-8d4f-4b3d-b193-f4bfb26fcf99 meta version: 1 created: 2018-09-02T12:26:30.342Z lastmodified: 2018-09-02T12:26:30.418Z description: Read identity zones members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.userids id: b45ff2b9-857d-4c0d-b587-cd565cb0596f meta version: 1 created: 2018-09-02T12:26:30.345Z lastmodified: 2018-09-02T12:26:30.420Z description: Read user IDs and retrieve users by ID members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa clients.secret id: 1f0ee76f-1d2b-4051-8a82-217e4ef2036e meta version: 1 created: 2018-09-02T12:26:30.348Z lastmodified: 2018-09-02T12:26:30.422Z description: Change the password of an OAuth client members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa uaa.resource id: 77f58d65-e7f9-42b6-9cbb-2bbe6574501f meta version: 1 created: 2018-09-02T12:26:30.351Z lastmodified: 2018-09-02T12:26:30.423Z description: Serve resources protected by the UAA members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.invite id: 2f769581-c6ca-4707-b027-e1f572d1f8cb meta version: 1 created: 2018-09-02T12:26:30.354Z lastmodified: 2018-09-02T12:26:30.427Z description: Send invitations to users members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa groups.update id: 3a0302f3-a765-487e-a9e1-03baddeece3a meta version: 1 created: 2018-09-02T12:26:30.358Z lastmodified: 2018-09-02T12:26:30.429Z description: Update group information and memberships members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa notification_preferences.read id: c7f5cd9b-6f3c-4382-a70a-2ca0b171701f meta version: 0 created: 2018-09-02T12:26:30.360Z lastmodified: 2018-09-02T12:26:30.360Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa oauth.login id: c14f05f5-5b8c-4eec-b2e8-10f2c8d721a9 meta version: 1 created: 2018-09-02T12:26:30.364Z lastmodified: 2018-09-02T12:26:30.431Z description: Authenticate users outside of the UAA members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa uaa.admin id: 464f984f-1fbd-48ec-b0eb-ffe849ef4051 meta version: 1 created: 2018-09-02T12:26:30.367Z lastmodified: 2018-09-02T12:26:30.433Z description: Act as an administrator throughout the UAA members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa clients.admin id: 8635d6d0-0318-4cbd-a009-2dfd4d3d1993 meta version: 1 created: 2018-09-02T12:26:30.370Z lastmodified: 2018-09-02T12:26:30.434Z description: Create, modify and delete OAuth clients members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.read id: 9561acd4-140d-4e9f-aa9a-288a4cf0df09 meta version: 1 created: 2018-09-02T12:26:30.373Z lastmodified: 2018-09-02T12:26:30.436Z description: Read all SCIM entities, i.e. users and groups members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.create id: 4792729c-7517-4309-99d9-96a275a51674 meta version: 1 created: 2018-09-02T12:26:30.377Z lastmodified: 2018-09-02T12:26:30.437Z description: Create users members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa notification_preferences.write id: 1994ff63-8eab-40bc-99c6-3c3f117fd8fd meta version: 0 created: 2018-09-02T12:26:30.381Z lastmodified: 2018-09-02T12:26:30.381Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa cloud_controller.read id: a0a90654-9f88-4246-b9c5-93cee5f33dfe meta version: 1 created: 2018-09-02T12:26:30.384Z lastmodified: 2018-09-02T12:26:30.441Z description: View details of your applications and services members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa zones.write id: 77802fef-8a94-4232-8ceb-338dd300d40f meta version: 1 created: 2018-09-02T12:26:30.387Z lastmodified: 2018-09-02T12:26:30.447Z description: Create and update identity zones members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa clients.write id: ccf96d30-269b-4091-855a-308a61aec719 meta version: 1 created: 2018-09-02T12:26:30.390Z lastmodified: 2018-09-02T12:26:30.449Z description: Create and modify OAuth clients members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa scim.write id: 83df5f38-4046-4227-8a18-4cef5fd99e5a meta version: 1 created: 2018-09-02T12:26:30.393Z lastmodified: 2018-09-02T12:26:30.450Z description: Create, modify and delete SCIM entities, i.e. users and groups members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa organizations.acme id: 72d1bdf8-03f4-416b-956c-35babcfde2fb meta version: 0 created: 2018-09-02T12:26:30.467Z lastmodified: 2018-09-02T12:26:30.467Z members: schemas: urn:scim:schemas:core:1.0 zoneid: uaa metskem@athena ~/workspace/boshlite/deployments/vboxCreate the uaa user that we will use to manage credhub:
We have to create the credhub.write and credhub.read groups first and then make the newly created user a member of that:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac group add credhub.read id: afc61498-2384-4ded-8309-6c857b8eac6d meta version: 0 created: 2018-09-04T06:16:25.096Z lastmodified: 2018-09-04T06:16:25.096Z members: schemas: urn:scim:schemas:core:1.0 displayname: credhub.read zoneid: uaa metskem@athena ~/workspace/boshlite/deployments/vbox uaac group add credhub.write id: fc109dcd-5cf9-444e-8365-01f6146ac26f meta version: 0 created: 2018-09-04T06:16:30.306Z lastmodified: 2018-09-04T06:16:30.306Z members: schemas: urn:scim:schemas:core:1.0 displayname: credhub.write zoneid: uaa metskem@athena ~/workspace/boshlite/deployments/vbox uaac member add credhub.read credhub_user success metskem@athena ~/workspace/boshlite/deployments/vbox uaac member add credhub.write credhub_user success metskem@athena ~/workspace/boshlite/deployments/vboxYou can get a token using the credhub-admin user (using the password from creds.yml:credhub_admin_client_secret:
And we can use the credhub client to login:
Then generate an ssh key in credhub:
And get it back from credhub by name :
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub get -n /static/ssh_key id: 7fb0017a-8b70-45a4-bfd5-8407d845ed73 name: /static/ssh_key type: ssh value: private_key: | -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAxROvOfTnMQvy+gw1L+pDQLwDsupBdiEBy6m6+3n8l/g7Lxpf dB7j8P1B7usG/CL01hV2rFHtol6jDg0TCYnTPiHkQIYZlTL39l7uNePv373MRy9s jtCtv/YWPofF4hf8yHn8xC7a2/oEMM44aSN/3gYKfJf4s9PpMbVUxMsi5oF+yKKO br+/CSTiQcvndZkAfLl9sS4FcIrRjSHuNQJ81syT43p75RVUwzvl84zT/4McmcSj 5Z2r6G7z0x7t3P4mf4ttutf0ryCgYWsorvHyNrxKKJf07F0yaK+JkaNjKTn4Rtmo vqAGbfJw771OZCQ8UNOmOoEPy+dk4/RzC3vR8QIDAQABAoIBAHDIGBJBzgCqhu2E CPgXx08HidJc7wNsVju4MXJy2BQcEbqeDBxHBUlHlfDlfYTTeGv/sn9hD25JXGTR JKDjyAkZmic21vMkTPUoVIhwnjjbxEjEogqE77oYWZiFWMBP2/DapsWaztLunHFV wsCgeS+VI3E0AzbeQeiZjh5k5d8lIR7IkT18pCmQ7sssB6EWDeY0x4IUJObfrU/Y 5iULq7Hx4+pxfiDtUllIcX5AJD1JCtVHmX871ST6zE10n1KUi2lhe5WdBEdFn43m 3cDQJ5SaqouaTro7vEiGoH1mToPqnxqVlpYgNW3xHT+t5XcewvnTThSrro9gsBHG wIf+KKUCgYEA6d0MumKQE5ZN3s3RoxUnJqRQ8fbGg5Hps0KrCQS90VlgJFCBjF9T kpYxFCQ/alxRN0NG5ehGaI1FjGT7RfUkXaAtFL0VItJBGEnnQpJrYSzuEhrvkEUh Y4A74NIgyH1yftSsMCKR61yVICnTowRhlasKUffdCGwjI2Rr62YBAHcCgYEA17s6 FwkDVr1SaDUSmG9lMjP25h9jDppcbDJMwMtDD47i/kxkK9M/IdI2nXqR5+B+vwlN dVEhsSZRLr9WyEWjNLoRBpOP0Ya/FwiEI9+BBzbalhHJ0s95oeWuX80RSJb67UOY DB27cuhPijMYuadHcgYaT4C/+oxPUF5LCNbYgtcCgYEApPM+NASrHLWqLRm84Ktd 1vqVAWWO9WQok0DVxGGsxQmmL1b9WRYvqzf2W/+JHysIOdNhIW5oovvp7zGWrexP fx4oTfVkABCOy2PtEt6VkJARR4HqMTchar4a/eMYLnGVHXJCFR19EKZXpLz7woKn ldpzSAdsxrEHQ8JkAEANOtcCgYEAzS5ppZcQ8eLHCg3QTeNFIGaEIYMgt7bgyJde oM+yTI3eH3eQno4gsY46G7WEKEJAynmSjk5H+TE0bX3WkEyLWY7Ouq6GTwYVoVac N3JQSghGBg2NI0/po63MF5n3Ik9XAWsUphFxQ2zomczXa1xKe4yKYatW7HmexhWo 0BNngakCgYEA5mGPSrAB7hHsP3IG2F+ui0zeC65AuR5XP22TugoclnaWbcTzz/bP 0H9AwASguCuOkn/aJIAKYC6BTA2WEOW59zJekO/LVPhHm3QRuaYOFO5IBXyoDmvO 265TIM/NZ+TbLV8QHR2CKR8u3RQZi/wZClybOavFoqIR5tSu1SqlpaA= -----END RSA PRIVATE KEY----- public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFE6859OcxC/L6DDUv6kNAvAOy6kF2IQHLqbr7efyX+DsvGl90HuPw/UHu6wb8IvTWFXasUe2iXqMODRMJidM+IeRAhhmVMvf2Xu414+/fvcxHL2yO0K2/9hY+h8XiF/zIefzELtrb+gQwzjhpI3/eBgp8l/iz0+kxtVTEyyLmgX7Ioo5uv78JJOJBy+d1mQB8uX2xLgVwitGNIe41AnzWzJPjenvlFVTDO+XzjNP/gxyZxKPlnavobvPTHu3c/iZ/i2261/SvIKBhayiu8fI2vEool/TsXTJor4mRo2MpOfhG2ai+oAZt8nDvvU5kJDxQ06Y6gQ/L52Tj9HMLe9Hx public_key_fingerprint: kodcZ/qmGimxhY9FXbOmxnPzwr2Qf0WWLWqdd0q9lyY version_created_at: "2018-09-07T06:52:34Z"Finding creds#
Simply use the credhub find with no arguments:
Exporting (backup) creds#
Simply use the credhub export command.Importing (restore) creds#
Simply use the credhub import command.It does however complain about ssh-type entries:
Test deploy and see if it works#
We took the gogs boshreleaseAfter deploying it simply works, and with the credhub find command, you see that several entries were created:
CredHub on PCF#
This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log
Setting the target#
Getting info and health#
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq { "auth-server": { "url": "https://10.253.6.11:8443" }, "app": { "name": "CredHub", "version": "1.0.8" } }metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq { "status": "UP" }