Pivotal Cloud Foundry versions 1.7 and above
This article shows you how to add a read-only Bosh user who has read access to the director but does not have admin access to deployments. Read access prevents users from managing VMs, creating or updating deployments, running errands, etc.
Every time you do a Bosh login, the Bosh CLI uses the bosh_cli client. By default, the bosh_cli scopes are set and contain Bosh.admin. Here are the steps to create a user with read-only authorities:
1. Create a client that has read-only authorities
ubuntu@pivotal-ops-manager:~$ uaac client add readonly-new --name readonly-new --authorities "bosh.read bosh.*.read" --scope "uaa.none" --authorized_grant_types "client_credentials" New client secret: changeme Verify new client secret: changeme scope: uaa.none client_id: readonly-new resource_ids: none authorized_grant_types: client_credentials autoapprove: authorities: bosh.read bosh.*.read name: readonly-new lastmodified: 1487733329676 id: readonly-new
2. You can then use these instructions to do a client login with Bosh
ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT=readonly-new ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT_SECRET=changeme ubuntu@pivotal-ops-manager:~$ bosh status Config /home/ubuntu/.bosh_config Director Name p-bosh URL https://10.193.70.11:25555 Version 260.0.0 (00000000) User readonly-new UUID f795f65a-ac8f-40a4-a8b9-e9f14d898578 CPI vsphere_cpi dns disabled compiled_package_cache disabled snapshots disabled Deployment Manifest /home/ubuntu/p-mysql-2b77233f801ee90f2e19.yml
3. Confirm it works by trying to restart a VM
ubuntu@pivotal-ops-manager:~$ bosh restart mysql 0 Acting as client 'readonly-new' on deployment 'p-mysql-2b77233f801ee90f2e19' on 'p-bosh' RSA 1024 bit CA certificates are loaded due to old openssl compatibility You are about to restart mysql/0 Detecting deployment changes ---------------------------- Restart mysql/0? (type 'yes' to continue): yes Performing 'restart mysql/0'... Error 600000: Require one of the scopes: bosh.admin, bosh.f795f65a-ac8f-40a4-a8b9-e9f14d898578.admin ubuntu@pivotal-ops-manager:~$
For more information on the scope of the read-only user and admin user, please see UAA Permissions.