Pivotal Knowledge Base


How to get the Bearer Token of Elastic Runtime Client via REST API


Pivotal Cloud Foundry® (PCF) 1.10.x and 1.11.x


This article discusses how to get the bearer token of Elastic Runtime (ERT) client via REST API. Sometimes a user would like to invoke the API in their automation program instead of calling the cf command.


1. Get the token for UAA admin client. Replace <SYSTEM DOMAIN> and <UAA Admin Client Credential> with your specified value.

You can get <UAA Admin Client Credential> via Ops Manager GUI -> ER Tile -> Crendentials -> UAA -> Admin Client Credentials. 

$ curl -k -X POST https://uaa.<SYSTEM DOMAIN>/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=admin&client_secret=<UAA Admin Client Crendential>&grant_type=client_credentials&token_format=opaque&response_type=token'

The response will be like this. 

"scope":"clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read","jti":"707fc9fe0afa4669844f301c7f39ff7c"}

2. Create a new client with correct scope.  Replace <SYSTEM DOMAIN>, <CLIENT_ID>, <CLIENT_SECRET>, <REDIRECT_URI>, and <NAME> with your specified value. Replace <TOKEN> with the one got in 1st step.

>$ curl 'https://uaa.<SYSTEM DOMAIN>/oauth/clients' -i -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
-H 'Accept: application/json' \
-d '{"scope" : ["openid", "uaa.resource","uaa.admin", "scim.read", "cloud_controller.admin",
"uaa.user", "routing.router_groups.read", "cloud_controller.read", "cloud_controller.write",
"scim.write" ],"client_id" : "<CLIENT ID>","client_secret" : "<CLIENT SECRET>","resource_ids" : [ ],
"authorized_grant_types" : [ "client_credentials" ],"redirect_uri" : [ "http://<REDIRECT URI>" ],
"authorities" : [ "clients.read", "clients.write", "openid", "uaa.resource","uaa.admin", "scim.read",
"cloud_controller.admin", "uaa.user", "routing.router_groups.read", "cloud_controller.read", "cloud_controller.write",
"scim.write" ],"token_salt" : "zCSAYx","autoapprove" : true,"allowedproviders" : [ ],"name" : "<NAME>"}' -k

3. Get the bearer token of the new client. 

curl 'https://uaa.<SYSTEM DOMAIN>/oauth/token' -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials&token_format=bearer&response_type=token' -k

This token can be used as the bearer token to invoke CF API as specified in https://apidocs.cloudfoundry.org/.

You can use this to terminate one running app with the given index.

$ curl -k -X DELETE "https://api.<SYSTEM DOMAIN>/v2/apps/<APP GUID>/instances/<INDEX>" \
-H "Authorization: bearer <BEARER TOKEN>" 


Powered by Zendesk