credhub#
What runs op the director (pcf 1.11):
Resources#
- credhub
- credhub bosh release
- credhub bosh release docs!
- credhub api and cli ref
- cf-uaac
- pcf 1.12 and credhub
- Setting Up and Deploying CredHub with BOSH
- Using CredHub to Increase the Security of Your Platform - Dan Jahner, Pivotal
- YouTube "CredHub and Secure Credential Management - Peter Blum, Scott Frederick"
Setting up your local BOSH environment#
First create your local BOSH director:
bosh create-env ~/workspace/bosh-deployment/bosh.yml \ --state ./state.json \ -o ~/workspace/bosh-deployment/virtualbox/cpi.yml \ -o outbound-network.yml \ -o ~/workspace/bosh-deployment/bosh-lite.yml \ -o ~/workspace/bosh-deployment/bosh-lite-runc.yml \ -o ~/workspace/bosh-deployment/jumpbox-user.yml \ -o ~/workspace/bosh-deployment/uaa.yml \ -o ~/workspace/bosh-deployment/credhub.yml \ --vars-store ./creds.yml \ -v director_name="Bosh Lite Director" \ -v internal_ip=192.168.50.6 \ -v internal_gw=192.168.50.1 \ -v internal_cidr=192.168.50.0/24 \ -v outbound_network_name=NatNetwork bosh alias-env vbox -e 192.168.50.6 --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca) export BOSH_ENVIRONMENT=vbox export BOSH_CLIENT=admin export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password` echo "updating cloud config..." bosh -n update-cloud-config ~/workspace/bosh-deployment/warden/cloud-config.yml
Mind the uaa.yml and credhub.yml operator files.
When the deployment finishes you will have a creds.yml file that has all k
When you have this up and running, credhub should be running on port 8844 and use the local UAA (on port 8443) as it's authenticator.
Login to credhub#
First you need the credhub and uaa cli's, see the resources section for the download URLs. To install uaac, run sudo gem install cf-uaac.Then you set the API to credhub:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox $ credhub api -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation Setting the target url: https://192.168.50.6:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead.
First some jq magic to get the UAA URL from the credhub /info api:
curl -k --silent https://192.168.50.6:8844/info|jq '.["auth-server"].url'
Login to credhub should be done with a UAA user, so login with that first (it took me quite some time to find out which user/password to use for uaa admin):
uaac token client get uaa_admin -s $(cat <(bosh int creds.yml --path /uaa_admin_client_secret))After that you are able to list the contexts and you can see you have scime.write (needed for adding users) and more:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac contexts
[0]*[https://192.168.50.6:8443]
skip_ssl_validation: true
[0] [admin]
client_id: admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MzMyOWY4Y2JmMjI0YzE3OThhYjVlN2I5MTdjY2QzYyIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYm9zaC5hZG1pbiJdLCJzY29wZSI6WyJib3NoLmFkbWluIl0sImNsaWVudF9pZCI6ImFkbWluIiwiY2lkIjoiYWRtaW4iLCJhenAiOiJhZG1pbiIsInJldm9jYWJsZSI6dHJ1ZSwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiI0YmI2OTAwYyIsImlhdCI6MTUzNTk4MDQxNSwiZXhwIjoxNTM2MDIzNjE1LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImFkbWluIiwiYm9zaCJdfQ.URHw2xjZrqUFBMFVV4Ap4t4u5QqiMk61krlrIQx4s8klW2PDnEPS0tyl0qwmDOxdU08-C-s-E_GPbgePl8gqFGs6sgXagRmqw2ecnI2LDLu0SvhpKjMPGtCN0Gv38ZhDA_hzbrLouRgZ7SaxctSX4TnQMad_uxG0mq1KgFePy6luVqr32vvepkqMbRDBrNHro30wI_CDjie0vcFNBA9pQF5Z5SmUqzXAUvt2jEzPEc7Hqhwd8gAzOTAzOQYRnDnfMHdf3MP6ZGjPly7xDyRp9Z-QXo6PLItI7KmlO-qluU0JgKFnaznBl5TxTwMMA5o0k7FKXCjewPa--87yO3-A6w
token_type: bearer
expires_in: 43199
scope: bosh.admin
jti: 63329f8cbf224c1798ab5e7b917ccd3c
[1]*[uaa_admin]
client_id: uaa_admin
access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJkNjU5NDFhYWM5MTc0MTBkYTE5NzMzODNlNTU2OTU5YiIsInN1YiI6InVhYV9hZG1pbiIsImF1dGhvcml0aWVzIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImNsaWVudHMuc2VjcmV0IiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoidWFhX2FkbWluIiwiY2lkIjoidWFhX2FkbWluIiwiYXpwIjoidWFhX2FkbWluIiwicmV2b2NhYmxlIjp0cnVlLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImFhOWIzNmI0IiwiaWF0IjoxNTM1OTgxNDgwLCJleHAiOjE1MzYwMjQ2ODAsImlzcyI6Imh0dHBzOi8vMTkyLjE2OC41MC42Ojg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInVhYV9hZG1pbiIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSJdfQ.KGCXMI0d5QxtfONsA1xPr8gLBFnGxRNrs6v3pLbLIlgW4yDeReWI428MDxKX57rh8acyjV4fLv734PHxt9h8DDgOVe582BYaTzoSKJnuPC5cUiz0lApNYuXXtKwwhS5WeSp0hnpBx26n6ETg5fWAUKS0tNYy-1jfM2jDbRRuubWCxac1iJ5UjXnIhnpefRyIWuymEbyG3aEzTg0MST1SGQA4u4VTKVY-2ElNW3SQ4AAK_TgVNM-pXxoN4BM3Q51lKWf0y7yoLWCilIPMQVyQpQmbTtwzjgmVmOQAe8v6SpivYtMxd5iJLkYGxeQHTV72gOlDS7fpOH4Y2YgMHeIkLQ
token_type: bearer
expires_in: 43199
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
jti: d65941aac917410da1973383e556959b
You need the second context (uaa_admin), as you can see it has all the scopes you need (clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read).
Now you can also list the current uaa clients:
clients
metskem@athena ~/workspace/boshlite/deployments/vbox uaac clients
admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189747
bosh_cli
scope: openid bosh.admin bosh.read bosh.*.admin bosh.*.read bosh.teams.*.admin bosh.teams.*.read
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 120
refresh_token_validity: 86400
authorities: uaa.none
lastmodified: 1535891189819
credhub-admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189423
credhub_cli
scope: credhub.read credhub.write
resource_ids: none
authorized_grant_types: password refresh_token
autoapprove:
access_token_validity: 60
refresh_token_validity: 1800
authorities: uaa.none
lastmodified: 1535891189596
director_to_credhub
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 3600
authorities: credhub.write credhub.read
lastmodified: 1535891189890
hm
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: bosh.admin
lastmodified: 1535891189671
uaa_admin
scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
lastmodified: 1535891189507
metskem@athena ~/workspace/boshlite/deployments/vbox
And you can list current uaa users :
users
metskem@athena ~/workspace/boshlite/deployments/vbox uaac users
resources:
-
id: 867f25b4-4c92-41a9-b6aa-dba4b6d23cac
meta
version: 0
created: 2018-09-02T12:26:27.295Z
lastmodified: 2018-09-02T12:26:27.295Z
name
familyname:
givenname:
emails:
-
value: admin
primary: false
groups:
-
value: 9c03792f-013d-4cc3-9220-8c688d809f56
display: uaa.offline_token
type: DIRECT
-
value: bdf0bbb0-5047-4705-a3c2-43590babaaec
display: profile
type: DIRECT
-
value: cfba5d5c-fe3d-4948-b2e5-bd33caf914d6
display: user_attributes
type: DIRECT
-
value: 45f765c9-b670-4234-a378-8b2230d6779e
display: cloud_controller.write
type: DIRECT
-
value: 8ae1fd7f-e393-4ca6-a727-e267fb1661da
display: openid
type: DIRECT
-
value: 1994ff63-8eab-40bc-99c6-3c3f117fd8fd
display: notification_preferences.write
type: DIRECT
-
value: bd5c331f-778c-4196-8abf-2d56381c56a5
display: oauth.approvals
type: DIRECT
-
value: 599b2bab-a8d9-4b00-9c69-0082dba892c7
display: bosh.admin
type: DIRECT
-
value: ec253d39-e701-44f8-bd06-7e1a97b449a1
display: password.write
type: DIRECT
-
value: 2da56b99-6188-42a7-be3b-0886741f3a1f
display: cloud_controller_service_permissions.read
type: DIRECT
-
value: 6eded82d-f5dd-48e0-8a60-90763d1773ea
display: scim.me
type: DIRECT
-
value: a0a90654-9f88-4246-b9c5-93cee5f33dfe
display: cloud_controller.read
type: DIRECT
-
value: 24348f57-4ce1-4f76-b5bb-2c716d3bd203
display: roles
type: DIRECT
-
value: cc248fc8-50d6-48a1-a1d4-d7e3dfc65f42
display: approvals.me
type: DIRECT
-
value: db3e1751-bb89-4050-8bce-83e40fcbf86b
display: uaa.user
type: DIRECT
-
value: c7f5cd9b-6f3c-4382-a70a-2ca0b171701f
display: notification_preferences.read
type: DIRECT
approvals:
active: true
verified: true
origin: uaa
schemas: urn:scim:schemas:core:1.0
username: admin
zoneid: uaa
passwordlastmodified: 2018-09-02T12:26:27.000Z
previouslogontime: 1535956808901
lastlogontime: 1535972766877
schemas: urn:scim:schemas:core:1.0
startindex: 1
itemsperpage: 100
totalresults: 1
Also list the groups:
groups
metskem@athena ~/workspace/boshlite/deployments/vbox uaac groups
bosh.admin
id: 599b2bab-a8d9-4b00-9c69-0082dba892c7
meta
version: 1
created: 2018-09-02T12:26:27.335Z
lastmodified: 2018-09-02T12:26:30.452Z
description: User has admin access on any Director
members:
-
origin: uaa
type: USER
value: 867f25b4-4c92-41a9-b6aa-dba4b6d23cac
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
openid
id: 8ae1fd7f-e393-4ca6-a727-e267fb1661da
meta
version: 1
created: 2018-09-02T12:26:27.341Z
lastmodified: 2018-09-02T12:26:30.425Z
description: Access profile information, i.e. email, first and last name, and phone number
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
password.write
id: ec253d39-e701-44f8-bd06-7e1a97b449a1
meta
version: 1
created: 2018-09-02T12:26:27.347Z
lastmodified: 2018-09-02T12:26:30.443Z
description: Change your password
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
uaa.user
id: db3e1751-bb89-4050-8bce-83e40fcbf86b
meta
version: 1
created: 2018-09-02T12:26:27.352Z
lastmodified: 2018-09-02T12:26:30.439Z
description: Act as a user in the UAA
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
approvals.me
id: cc248fc8-50d6-48a1-a1d4-d7e3dfc65f42
meta
version: 0
created: 2018-09-02T12:26:27.357Z
lastmodified: 2018-09-02T12:26:27.357Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
profile
id: bdf0bbb0-5047-4705-a3c2-43590babaaec
meta
version: 0
created: 2018-09-02T12:26:27.363Z
lastmodified: 2018-09-02T12:26:27.363Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
roles
id: 24348f57-4ce1-4f76-b5bb-2c716d3bd203
meta
version: 0
created: 2018-09-02T12:26:27.367Z
lastmodified: 2018-09-02T12:26:27.367Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
user_attributes
id: cfba5d5c-fe3d-4948-b2e5-bd33caf914d6
meta
version: 0
created: 2018-09-02T12:26:27.370Z
lastmodified: 2018-09-02T12:26:27.370Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
uaa.offline_token
id: 9c03792f-013d-4cc3-9220-8c688d809f56
meta
version: 1
created: 2018-09-02T12:26:27.374Z
lastmodified: 2018-09-02T12:26:30.445Z
description: Allow offline access
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
bosh.releases.upload
id: ce7801fb-5b00-4b11-ad8a-ace788916ef8
meta
version: 1
created: 2018-09-02T12:26:30.304Z
lastmodified: 2018-09-02T12:26:30.397Z
description: User can upload new releases
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
idps.write
id: 848fc6e8-61a6-4894-a136-1e0d04e30ff2
meta
version: 1
created: 2018-09-02T12:26:30.306Z
lastmodified: 2018-09-02T12:26:30.399Z
description: Create and update identity providers
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.me
id: 6eded82d-f5dd-48e0-8a60-90763d1773ea
meta
version: 0
created: 2018-09-02T12:26:30.309Z
lastmodified: 2018-09-02T12:26:30.309Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.zones
id: ccfa8e33-0427-40fa-9815-1cc6aebe2fbf
meta
version: 1
created: 2018-09-02T12:26:30.312Z
lastmodified: 2018-09-02T12:26:30.401Z
description: Control a user's ability to manage a zone
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
cloud_controller.admin
id: 8f359d15-ac80-4fd0-a253-aafd9c2e0bf5
meta
version: 0
created: 2018-09-02T12:26:30.315Z
lastmodified: 2018-09-02T12:26:30.315Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
bosh.stemcells.upload
id: 5da65374-9578-46aa-8193-1499e30e0a1e
meta
version: 1
created: 2018-09-02T12:26:30.318Z
lastmodified: 2018-09-02T12:26:30.403Z
description: User can upload new stemcells
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
oauth.approval
id: fbf0a312-9dfb-45ba-a91e-ef7a06364bf5
meta
version: 1
created: 2018-09-02T12:26:30.320Z
lastmodified: 2018-09-02T12:26:30.405Z
description: Manage approved scopes
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
cloud_controller.write
id: 45f765c9-b670-4234-a378-8b2230d6779e
meta
version: 1
created: 2018-09-02T12:26:30.323Z
lastmodified: 2018-09-02T12:26:30.407Z
description: Push applications to your account and create and bind services
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
cloud_controller_service_permissions.read
id: 2da56b99-6188-42a7-be3b-0886741f3a1f
meta
version: 1
created: 2018-09-02T12:26:30.325Z
lastmodified: 2018-09-02T12:26:30.408Z
description: Verify user permission to manage service instances
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
bosh.read
id: c0770ea1-90d7-4f40-937f-408210750942
meta
version: 1
created: 2018-09-02T12:26:30.327Z
lastmodified: 2018-09-02T12:26:30.410Z
description: User has read access on any Director
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
oauth.approvals
id: bd5c331f-778c-4196-8abf-2d56381c56a5
meta
version: 0
created: 2018-09-02T12:26:30.331Z
lastmodified: 2018-09-02T12:26:30.331Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
uaa.none
id: ee5ced29-82c8-49c4-aef9-c6437b1dad63
meta
version: 1
created: 2018-09-02T12:26:30.334Z
lastmodified: 2018-09-02T12:26:30.411Z
description: Forbid acting as a user
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
idps.read
id: d694cd45-5aef-478f-a3d4-2ea79585a66c
meta
version: 1
created: 2018-09-02T12:26:30.337Z
lastmodified: 2018-09-02T12:26:30.414Z
description: Retrieve identity providers
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
clients.read
id: 171aeb8c-94ec-4900-9992-f6b60eaeca95
meta
version: 1
created: 2018-09-02T12:26:30.340Z
lastmodified: 2018-09-02T12:26:30.416Z
description: Read information about OAuth clients
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
zones.read
id: 961d07c3-8d4f-4b3d-b193-f4bfb26fcf99
meta
version: 1
created: 2018-09-02T12:26:30.342Z
lastmodified: 2018-09-02T12:26:30.418Z
description: Read identity zones
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.userids
id: b45ff2b9-857d-4c0d-b587-cd565cb0596f
meta
version: 1
created: 2018-09-02T12:26:30.345Z
lastmodified: 2018-09-02T12:26:30.420Z
description: Read user IDs and retrieve users by ID
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
clients.secret
id: 1f0ee76f-1d2b-4051-8a82-217e4ef2036e
meta
version: 1
created: 2018-09-02T12:26:30.348Z
lastmodified: 2018-09-02T12:26:30.422Z
description: Change the password of an OAuth client
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
uaa.resource
id: 77f58d65-e7f9-42b6-9cbb-2bbe6574501f
meta
version: 1
created: 2018-09-02T12:26:30.351Z
lastmodified: 2018-09-02T12:26:30.423Z
description: Serve resources protected by the UAA
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.invite
id: 2f769581-c6ca-4707-b027-e1f572d1f8cb
meta
version: 1
created: 2018-09-02T12:26:30.354Z
lastmodified: 2018-09-02T12:26:30.427Z
description: Send invitations to users
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
groups.update
id: 3a0302f3-a765-487e-a9e1-03baddeece3a
meta
version: 1
created: 2018-09-02T12:26:30.358Z
lastmodified: 2018-09-02T12:26:30.429Z
description: Update group information and memberships
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
notification_preferences.read
id: c7f5cd9b-6f3c-4382-a70a-2ca0b171701f
meta
version: 0
created: 2018-09-02T12:26:30.360Z
lastmodified: 2018-09-02T12:26:30.360Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
oauth.login
id: c14f05f5-5b8c-4eec-b2e8-10f2c8d721a9
meta
version: 1
created: 2018-09-02T12:26:30.364Z
lastmodified: 2018-09-02T12:26:30.431Z
description: Authenticate users outside of the UAA
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
uaa.admin
id: 464f984f-1fbd-48ec-b0eb-ffe849ef4051
meta
version: 1
created: 2018-09-02T12:26:30.367Z
lastmodified: 2018-09-02T12:26:30.433Z
description: Act as an administrator throughout the UAA
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
clients.admin
id: 8635d6d0-0318-4cbd-a009-2dfd4d3d1993
meta
version: 1
created: 2018-09-02T12:26:30.370Z
lastmodified: 2018-09-02T12:26:30.434Z
description: Create, modify and delete OAuth clients
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.read
id: 9561acd4-140d-4e9f-aa9a-288a4cf0df09
meta
version: 1
created: 2018-09-02T12:26:30.373Z
lastmodified: 2018-09-02T12:26:30.436Z
description: Read all SCIM entities, i.e. users and groups
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.create
id: 4792729c-7517-4309-99d9-96a275a51674
meta
version: 1
created: 2018-09-02T12:26:30.377Z
lastmodified: 2018-09-02T12:26:30.437Z
description: Create users
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
notification_preferences.write
id: 1994ff63-8eab-40bc-99c6-3c3f117fd8fd
meta
version: 0
created: 2018-09-02T12:26:30.381Z
lastmodified: 2018-09-02T12:26:30.381Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
cloud_controller.read
id: a0a90654-9f88-4246-b9c5-93cee5f33dfe
meta
version: 1
created: 2018-09-02T12:26:30.384Z
lastmodified: 2018-09-02T12:26:30.441Z
description: View details of your applications and services
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
zones.write
id: 77802fef-8a94-4232-8ceb-338dd300d40f
meta
version: 1
created: 2018-09-02T12:26:30.387Z
lastmodified: 2018-09-02T12:26:30.447Z
description: Create and update identity zones
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
clients.write
id: ccf96d30-269b-4091-855a-308a61aec719
meta
version: 1
created: 2018-09-02T12:26:30.390Z
lastmodified: 2018-09-02T12:26:30.449Z
description: Create and modify OAuth clients
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
scim.write
id: 83df5f38-4046-4227-8a18-4cef5fd99e5a
meta
version: 1
created: 2018-09-02T12:26:30.393Z
lastmodified: 2018-09-02T12:26:30.450Z
description: Create, modify and delete SCIM entities, i.e. users and groups
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
organizations.acme
id: 72d1bdf8-03f4-416b-956c-35babcfde2fb
meta
version: 0
created: 2018-09-02T12:26:30.467Z
lastmodified: 2018-09-02T12:26:30.467Z
members:
schemas: urn:scim:schemas:core:1.0
zoneid: uaa
metskem@athena ~/workspace/boshlite/deployments/vbox
Create the uaa user that we will use to manage credhub:
uaac user add credhub_user --emails harry.metske@gmail.com # assign the password "credhub_user_pwd"
We have to create the credhub.write and credhub.read groups first and then make the newly created user a member of that:
metskem@athena ~/workspace/boshlite/deployments/vbox uaac group add credhub.read
id: afc61498-2384-4ded-8309-6c857b8eac6d
meta
version: 0
created: 2018-09-04T06:16:25.096Z
lastmodified: 2018-09-04T06:16:25.096Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: credhub.read
zoneid: uaa
metskem@athena ~/workspace/boshlite/deployments/vbox uaac group add credhub.write
id: fc109dcd-5cf9-444e-8365-01f6146ac26f
meta
version: 0
created: 2018-09-04T06:16:30.306Z
lastmodified: 2018-09-04T06:16:30.306Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: credhub.write
zoneid: uaa
metskem@athena ~/workspace/boshlite/deployments/vbox uaac member add credhub.read credhub_user
success
metskem@athena ~/workspace/boshlite/deployments/vbox uaac member add credhub.write credhub_user
success
metskem@athena ~/workspace/boshlite/deployments/vbox
You can get a token using the credhub-admin user (using the password from creds.yml:credhub_admin_client_secret:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox uaac token client get credhub-admin -s $(bosh int creds.yml --path /credhub_admin_client_secret) Successfully fetched token via client credentials grant. Target: https://192.168.50.6:8443 Context: credhub-admin, from client credhub-admin
And we can use the credhub client to login:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub login -s https://192.168.50.6:8844 --ca-cert <(bosh int creds.yml --path /credhub_tls/ca) --skip-tls-validation --client-name credhub-admin --client-secret $(bosh int creds.yml --path /credhub_admin_client_secret) Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead. Setting the target url: https://192.168.50.6:8844 Login Successful
Then generate an ssh key in credhub:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub generate --type ssh --name /static/ssh_key id: 7fb0017a-8b70-45a4-bfd5-8407d845ed73 name: /static/ssh_key type: ssh value: <redacted> version_created_at: "2018-09-07T06:52:34Z"
And get it back from credhub by name :
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub get -n /static/ssh_key
id: 7fb0017a-8b70-45a4-bfd5-8407d845ed73
name: /static/ssh_key
type: ssh
value:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxROvOfTnMQvy+gw1L+pDQLwDsupBdiEBy6m6+3n8l/g7Lxpf
dB7j8P1B7usG/CL01hV2rFHtol6jDg0TCYnTPiHkQIYZlTL39l7uNePv373MRy9s
jtCtv/YWPofF4hf8yHn8xC7a2/oEMM44aSN/3gYKfJf4s9PpMbVUxMsi5oF+yKKO
br+/CSTiQcvndZkAfLl9sS4FcIrRjSHuNQJ81syT43p75RVUwzvl84zT/4McmcSj
5Z2r6G7z0x7t3P4mf4ttutf0ryCgYWsorvHyNrxKKJf07F0yaK+JkaNjKTn4Rtmo
vqAGbfJw771OZCQ8UNOmOoEPy+dk4/RzC3vR8QIDAQABAoIBAHDIGBJBzgCqhu2E
CPgXx08HidJc7wNsVju4MXJy2BQcEbqeDBxHBUlHlfDlfYTTeGv/sn9hD25JXGTR
JKDjyAkZmic21vMkTPUoVIhwnjjbxEjEogqE77oYWZiFWMBP2/DapsWaztLunHFV
wsCgeS+VI3E0AzbeQeiZjh5k5d8lIR7IkT18pCmQ7sssB6EWDeY0x4IUJObfrU/Y
5iULq7Hx4+pxfiDtUllIcX5AJD1JCtVHmX871ST6zE10n1KUi2lhe5WdBEdFn43m
3cDQJ5SaqouaTro7vEiGoH1mToPqnxqVlpYgNW3xHT+t5XcewvnTThSrro9gsBHG
wIf+KKUCgYEA6d0MumKQE5ZN3s3RoxUnJqRQ8fbGg5Hps0KrCQS90VlgJFCBjF9T
kpYxFCQ/alxRN0NG5ehGaI1FjGT7RfUkXaAtFL0VItJBGEnnQpJrYSzuEhrvkEUh
Y4A74NIgyH1yftSsMCKR61yVICnTowRhlasKUffdCGwjI2Rr62YBAHcCgYEA17s6
FwkDVr1SaDUSmG9lMjP25h9jDppcbDJMwMtDD47i/kxkK9M/IdI2nXqR5+B+vwlN
dVEhsSZRLr9WyEWjNLoRBpOP0Ya/FwiEI9+BBzbalhHJ0s95oeWuX80RSJb67UOY
DB27cuhPijMYuadHcgYaT4C/+oxPUF5LCNbYgtcCgYEApPM+NASrHLWqLRm84Ktd
1vqVAWWO9WQok0DVxGGsxQmmL1b9WRYvqzf2W/+JHysIOdNhIW5oovvp7zGWrexP
fx4oTfVkABCOy2PtEt6VkJARR4HqMTchar4a/eMYLnGVHXJCFR19EKZXpLz7woKn
ldpzSAdsxrEHQ8JkAEANOtcCgYEAzS5ppZcQ8eLHCg3QTeNFIGaEIYMgt7bgyJde
oM+yTI3eH3eQno4gsY46G7WEKEJAynmSjk5H+TE0bX3WkEyLWY7Ouq6GTwYVoVac
N3JQSghGBg2NI0/po63MF5n3Ik9XAWsUphFxQ2zomczXa1xKe4yKYatW7HmexhWo
0BNngakCgYEA5mGPSrAB7hHsP3IG2F+ui0zeC65AuR5XP22TugoclnaWbcTzz/bP
0H9AwASguCuOkn/aJIAKYC6BTA2WEOW59zJekO/LVPhHm3QRuaYOFO5IBXyoDmvO
265TIM/NZ+TbLV8QHR2CKR8u3RQZi/wZClybOavFoqIR5tSu1SqlpaA=
-----END RSA PRIVATE KEY-----
public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFE6859OcxC/L6DDUv6kNAvAOy6kF2IQHLqbr7efyX+DsvGl90HuPw/UHu6wb8IvTWFXasUe2iXqMODRMJidM+IeRAhhmVMvf2Xu414+/fvcxHL2yO0K2/9hY+h8XiF/zIefzELtrb+gQwzjhpI3/eBgp8l/iz0+kxtVTEyyLmgX7Ioo5uv78JJOJBy+d1mQB8uX2xLgVwitGNIe41AnzWzJPjenvlFVTDO+XzjNP/gxyZxKPlnavobvPTHu3c/iZ/i2261/SvIKBhayiu8fI2vEool/TsXTJor4mRo2MpOfhG2ai+oAZt8nDvvU5kJDxQ06Y6gQ/L52Tj9HMLe9Hx
public_key_fingerprint: kodcZ/qmGimxhY9FXbOmxnPzwr2Qf0WWLWqdd0q9lyY
version_created_at: "2018-09-07T06:52:34Z"
Finding creds#
Simply use the credhub find with no arguments:
metskem@athena-2 ~/workspace/boshlite/deployments/vbox credhub find credentials: - name: /yy/sample-rsa version_created_at: "2018-09-21T12:35:39Z" - name: /xx/sample-rsa version_created_at: "2018-09-21T12:35:34Z" - name: /static/sample-rsa version_created_at: "2018-09-21T12:25:52Z" - name: /static/ssh_key version_created_at: "2018-09-21T12:23:52Z"
Exporting (backup) creds#
Simply use the credhub export command.
CredHub on PCF#
/:~# ps -ef|grep -i credh vcap 35083 1 0 Jan26 ? 00:05:10 java -Dspring.profiles.active=prod -Dspring.config.location=/var/vcap/jobs/credhub/config/application.yml -Dlog4j.configurationFile=/var/vcap/jobs/credhub/config/log4j2.properties -Djava.security.egd=file:/dev/urandom -Djava.io.tmpdir=/var/vcap/jobs/credhub/tmp -ea -jar credhub.jar ....
This listens on port 8844.
There is an interesting config file @ /var/vcap/jobs/credhub/config/application.yml
Logging is @ /var/vcap/sys/log/credhub/credhub.log
Setting the target#
metskeh@admin-d01we-cis:~$ ./credhub api --skip-tls-validation --server 10.253.6.11:8844 Warning: The targeted TLS certificate has not been verified for this connection. Warning: The --skip-tls-validation flag is deprecated. Please use --ca-cert instead. Setting the target url: https://10.253.6.11:8844
Getting info and health#
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/info | jq
{
"auth-server": {
"url": "https://10.253.6.11:8443"
},
"app": {
"name": "CredHub",
"version": "1.0.8"
}
}
metskeh@admin-d01we-cis:~$ curl -k --silent https://10.253.6.11:8844/health | jq
{
"status": "UP"
}