Starting with PCF 1.11, the credentials for many PCF services are being moved into the CredHub service. This article discusses how you can connect to and talk directly with CredHub.

Before proceeding with this article, Pivotal recommends using the Ops Manager API instead. Ops Manager will talk to CredHub on your behalf and the process is simpler. The instructions for that are documented here. Please try this first and use this process only as a fallback.

If you are trying to access credentials stored in CredHub by a service broker, these are stored in the PAS CredHub. See this KB for instructions on how to access PAS's CredHub.

CredHub lives in different places. This article documents how you can talk to the CredHub service that lives on the BOSH Director.

Connecting to BOSH Director Credhub

• SSH into the BOSH director vm.
• Run cat /var/vcap/jobs/director/config/director.yml. Locate the CredHub client name and secret in the output. The client name is director_to_credhub
• Run cat /var/vcap/jobs/director/config/uaa_server_ca.cert and copy the output to a file on your local machine. This is the CA cert that is used to establish trust with CredHub. We'll need this in a later step.
• Exit out of the BOSH Director VM
• Create the file uaa_server_ca.crt. In it, paste the contents of uaa_server_ca.cert that you copied from the step above.

• Use the credhub cli to connect.

credhub api https://<director IP>:8844 --ca-cert uaa_server_ca.crt
credhub login --client-name=director_to_credhub --client-secret=<Secret you copied>

• Once you have successfully logged in, commands will successfully run on the Bosh Director.