Pivotal Knowledge Base


How to Add a Read-Only BOSH User


Pivotal Cloud Foundry versions 1.7 and above


This article shows you how to add a read-only Bosh user who has read access to the director but does not have admin access to deployments. Read access prevents users from managing VMs, creating or updating deployments, running errands, etc.


Every time you do a Bosh login, the Bosh CLI uses the bosh_cli client. By default, the bosh_cli scopes are set and contain Bosh.admin. Here are the steps to create a user with read-only authorities:

1. Create a client that has read-only authorities

ubuntu@pivotal-ops-manager:~$ uaac client add readonly-new --name readonly-new --authorities "bosh.read bosh.*.read" --scope "uaa.none" --authorized_grant_types "client_credentials"
New client secret:  changeme
Verify new client secret:  changeme
  scope: uaa.none
  client_id: readonly-new
  resource_ids: none
  authorized_grant_types: client_credentials
  authorities: bosh.read bosh.*.read
  name: readonly-new
  lastmodified: 1487733329676
  id: readonly-new

2. You can then use these instructions to do a client login with Bosh

ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT=readonly-new
ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT_SECRET=changeme
ubuntu@pivotal-ops-manager:~$ bosh status

  Name       p-bosh
  Version    260.0.0 (00000000)
  User       readonly-new
  UUID       f795f65a-ac8f-40a4-a8b9-e9f14d898578
  CPI        vsphere_cpi
  dns        disabled
  compiled_package_cache disabled
  snapshots  disabled

  Manifest   /home/ubuntu/p-mysql-2b77233f801ee90f2e19.yml

3. Confirm it works by trying to restart a VM

ubuntu@pivotal-ops-manager:~$ bosh restart mysql 0 
Acting as client 'readonly-new' on deployment 'p-mysql-2b77233f801ee90f2e19' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
You are about to restart mysql/0

Detecting deployment changes
Restart mysql/0? (type 'yes' to continue): yes

Performing 'restart mysql/0'...
Error 600000: Require one of the scopes: bosh.admin, bosh.f795f65a-ac8f-40a4-a8b9-e9f14d898578.admin

Additional Information

For more information on the scope of the read-only user and admin user, please see UAA Permissions.



Powered by Zendesk