UAA client secrets can only be changed by the client. For this reason, the following workaround must be employed in order to change the secret with the UAA admin account.

The scope is like this: 

ubuntu@pivotal-ops-manager:~$ uaac context

[1]*[https://uaa.example.com] 
skip_ssl_validation: true

[0]*[admin] 
client_id: admin 
access_token: ... 
token_type: bearer 
expires_in: 43199 
scope: EXISTING-PERMISSIONS 
jti: 25aa75b2c3474d809cdabf6a7b5ca902

The error message looks like this:

"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "uaa.admin clients.read clients.admin zones.uaa.admin"

There are two ways to update the scope:

1. Using another client with clients.write scope to update the admin client's scope:

There're several clients having clients.write scope, like cc-service-dashboards, gorouter, notification_template. In this article, I will use gorouter client to update the admin client's scope. 

$ uaac token client get gorouter -s <Gorouter Client Credentials>

Successfully fetched token via client credentials grant.
Target: https://uaa.example.com
Context: gorouter, from client gorouter

$ uaac client update admin --authorities "clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write"
 scope: uaa.none
 client_id: admin
 resource_ids: none
 authorized_grant_types: client_credentials
 autoapprove: 
 authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
 lastmodified: 1480583105000

Then get admin client's token and verify that it's indeed changed. 

$ uaac token client get admin -s <Admin Client Credentials>

Successfully fetched token via client credentials grant.
Target: https://uaa.example.com
Context: admin, from client admin

$ uaac context

[1]*[https://uaa.example.com]
 skip_ssl_validation: true

 [0]*[admin]
 client_id: admin
 access_token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIwMTk2OGQ5NGMyMmM0MzAzOGMzMTc2MzE5ZWQ3ZDZhMCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwicGFzc3dvcmQud3JpdGUiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMud3JpdGUiLCJ1YWEuYWRtaW4iLCJzY2ltLndyaXRlIiwic2NpbS5yZWFkIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2NpbS53cml0ZSIsInNjaW0ucmVhZCJdLCJjbGllbnRfaWQiOiJhZG1pbiIsImNpZCI6ImFkbWluIiwiYXpwIjoiYWRtaW4iLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6Ijc2NzExM2EwIiwiaWF0IjoxNDgwNTgzMTEyLCJleHAiOjE0ODA2MjYzMTIsImlzcyI6Imh0dHBzOi8vdWFhLnN5c3RlbS5jb21tb25zLm1pbmkucGV6LnBpdm90YWwuaW8vb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsInBhc3N3b3JkIiwiY2xpZW50cyIsInVhYSIsImFkbWluIl19.UCx8_z5G52Z75FEDiSB7ZcEs9THDov0LLSrV3ViZC_s0275Bi2BhX9x7LIaroitBQA7RfatC-bQQIdilH6k6VwJ9gF0Ga8K52iyXotgZfyQeaoq6YmymbtciZ7fGZxUT7e4y5ng9rtbkO1X4wDpv3Q_iZntv3eq9WOO17Y26NnuGLjoLN_KN7f-oHfa0qhWwYLkN59qaV_4nIOch2i6a3x44eTuUz-K8lUt495u0O4ay2VBUgvbTpoPVkeX2yoZiDi0h2aPD0LuhFF_ZZiAP0vn7tYe6_3aRm0StvW45WLR481W8CO7O3F9ZA_x1y7KK4UdFneHU5QARlBPg6wjrhA
 token_type: bearer
 expires_in: 43199
 scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
 jti: 01968d94c22c43038c3176319ed7d6a0

2. If you cannot find any client with clients.write scope, then please update the scope in the database directly. Here are the detailed steps:

a. SSH or Bosh SSH to MySQL VM of the ER tile.

b. Connect to UAA db: $ mysql -u root -p uaa. The password is accessible from the 'ER Tile' -> 'Credentials' -> 'MySQL Sever' -> 'MySQL Admin Credentials'

c. Run the SQL: update oauth_client_details set authorities='clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write' where client_id='admin';

d. Try UAAC context to confirm that the scope has changed.
 

Impact/Risks

The second way to edit the database directly has a risk, and you may easily break the install. So please make sure you understand each step you have taken. If you're not confident enough, please contact Pivotal Support for guidance.

We also recommend taking a backup of the database before making any changes. You can refer to this link for more detailed information Back-Up the UAA Database.