Pivotal Knowledge Base

Follow

How to log on to BOSH non-interactively

Environment

Product Version
Pivotal Cloud Foundry® Operations Manager 1.7

Purpose

When BOSH is integrated with UAA for user management, you need to use a different procedure for non-interactive logons.  For example, you would use this procedure when running BOSH commands from shell scripts.  This article explains the procedure and how to create a client with BOSH admin privileges on the UAA server of the Ops Manager Director. 

Procedure

  • The UAA endpoint for the BOSH director Ops Manager provisions is https://director_ip:8443.
  • To operate against the UAA server, one way is to use the uaac cli which is already available on Ops Manager through the "uaac" alias. There is another way by using the HTTP API directly to get the owner access token from UAA.
  • It is recommended to create a custom client and you can follow the steps shown here to do that.
uaac target https://director_ip:8443

This sets the target endpoint to the UAA server on the director job.

uaac token owner get login admin -s CLIENT_SECRET -p USER_PASSWORD

This will retrieve the owner access token. CLIENT_SECRET and USER_PASSWORD can be found in the Credential tab of the Director in Ops Manager, as well as "Uaa Admin User Credentials" for the admin password and "Uaa Login Client Credentials" for the login client respectively.

uaac client add CLIENT_ID --scope uaa.none --authorized_grant_types client_credentials --authorities bosh.admin -s CLIENT_SECRET

This creates a client that has bosh.admin right. Record the client ID and secret. access_token_validity and refresh_token_validity can be also set for the expiration period of the token.

Optionally, the following can be used:

uaac token client get CLIENT_ID -s CLIENT_SECRET

This actually retrieves the token for the client just created. With the token, any further uaac command will be made possible.

An example of using the UAA client with BOSH status command is shown here:

BOSH_CLIENT=CLIENT_ID BOSH_CLIENT_SECRET=CLIENT_SECRET bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate status

For further use, just export BOSH_CLIENT and BOSH_CLIENT_SECRET within a script scope.

Impact/Risks

In the steps above, we created a UAA client with bosh.admin scope. User actions with this scope could potentially be disruptive. Please refer to the document on bosh.io for information of permission control.

Comments

Powered by Zendesk