Pivotal Cloud Foundry (PCF) all versions
As of PCF 1.11, the credentials for PCF services are being migrated from the apps manifest files to the credhub service. Pivotal recommends using the Ops Manager API to work with CredHub . This article shows how to connect to the CredHub service via its own API, read  and . This procedure is not supported by Pivotal. This article is presented as a technical working how-to document and is subject to change at any time.
The basic principle is you need to create a new UAA user account with the scopes to access CredHub. The CredHub read/write scopes should be the only scope needed for this account. It will require the Ops Manager admin credentials to set this up.
You can run this from the Operations Manager or any location that has the UAA Client installed and has network access to the Bosh Director.
uaac target ip.of.bosh.director:8443
Login to the UAA with the Directors Client Credentials...
uaac token owner get
Navigate to the Ops Manager Director Tile -> Credentials Tab
Click on “UAA Login Client Credentials”
Client ID is the “identity”
Client secret is the “password” that is returned in the step above
Navigate back to the Ops Manager Director Tile -> Credentials Tab
Click on “UAA Admin User Credentials”
Username is the “identity”
Password is the “password”
Create a new client "credhubtest" with the CredHub scopes
uaac client add --name credhubtest --scope uaa.none --authorized_grant_types client_credentials --authorities "credhub.write,credhub.read"
While creating this client, UAA will ask for a password for this client, remember that!
Login as the new CredHubTest Client
uaac token client get credhubtest -s mySecret
credhub api ip.of.bosh.director:8844 --skip-tls-validation
credhub login --client-name=credhubtest --client-secret=credhubtest
The CredHub API calls are now available to you. See the credhub api docs for that.
-  Retrieving Credentials from Your Deployment
-  credhub api docs
-  credhub cli source/installation