Pivotal Knowledge Base


How to Access CredHub with the CredHub CLI


Pivotal Cloud Foundry (PCF) all versions


As of PCF 1.11, the credentials for PCF services are being migrated from the apps manifest files to the credhub service. Pivotal recommends using the Ops Manager API to work with CredHub [1].  This article shows how to connect to the CredHub service via its own API, read [2] and [3].  This procedure is not supported by Pivotal. This article is presented as a technical working how-to document and is subject to change at any time.


The basic principle is you need to create a new UAA user account with the scopes to access CredHub. The CredHub read/write scopes should be the only scope needed for this account. It will require the Ops Manager admin credentials to set this up.

You can run this from the Operations Manager or any location that has the UAA Client installed and has network access to the Bosh Director.

uaac target ip.of.bosh.director:8443

Login to the UAA with the Directors Client Credentials...

uaac token owner get
Client ID:
Navigate to the Ops Manager Director Tile -> Credentials Tab
Click on “UAA Login Client Credentials”
Client ID is the “identity”

Client Secret
Client secret is the “password” that is returned in the step above

Navigate back to the Ops Manager Director Tile -> Credentials Tab
Click on “UAA Admin User Credentials”
Username is the “identity”

Password is the “password”

Create a new client "credhubtest" with the CredHub scopes

uaac client add --name credhubtest --scope uaa.none --authorized_grant_types client_credentials --authorities "credhub.write,credhub.read"

While creating this client, UAA will ask for a password for this client, remember that!

Login as the new CredHubTest Client

uaac token client get credhubtest -s mySecret

credhub api ip.of.bosh.director:8844 --skip-tls-validation

credhub login --client-name=credhubtest --client-secret=credhubtest

The CredHub API calls are now available to you. See the credhub api docs for that.

Additional Information



Powered by Zendesk