In this example the application name is cook binding to config-service cook-config-server. 

1) Retrieve Credhub path storing the client credentials for accessing config-server service. 

$ cf env cook
Getting env variables for app cook in org test-org / space test-space as admin...
System-Provided:
VCAP_SERVICES: {
 "p.config-server": [
  {
   "binding_name": null,
   "credentials": {
    "credhub-ref": "/c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/ce36d08a-83e6-4d85-9800-66adab84ee85/credentials-json"
   },
   "instance_name": "cook-config-server",
   "label": "p.config-server",
   "name": "cook-config-server",
   "plan": "standard",
   "provider": null,
   "syslog_drain_url": null,
   "tags": [
    "configuration",
    "spring-cloud"
   ],
   "volume_mounts": []
  }
 ]
}

The credhub-ref field contains the path in Credhub storing client credentials

2) Refer to this KB article to setup environment to access Credhub in TAS

3) Retrieve the credentials for accessing the config-server service

$ credhub get -n /c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/ce36d08a-83e6-4d85-9800-66adab84ee85/credentials-json
id: 22e8905a-2a1a-4b46-9698-67c9fa4f2941
name: /c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/ce36d08a-83e6-4d85-9800-66adab84ee85/credentials-json
type: json
value:
  access_token_uri: https://uaa.example.com:443/oauth/token
  client_id: config-client-ce36d08a-83e6-4d85-9800-66adab84ee85
  client_secret: aaaabbbbccccdddd
  uri: https://config-server-10f75029-9a8f-49b5-b02e-5e97e0c60b2a.cfapps.example.com

4) Get token for accessing the config-server service with the credentials

$ uaac target uaa.example.com --skip-ssl-validation

$ uaac token client get config-client-ce36d08a-83e6-4d85-9800-66adab84ee85 -s aaaabbbbccccdddd

$ uaac context config-client-ce36d08a-83e6-4d85-9800-66adab84ee85

[1]*[https://uaa.example.com]
  skip_ssl_validation: true

  [1]*[config-client-ce36d08a-83e6-4d85-9800-66adab84ee85]
      client_id: config-client-ce36d08a-83e6-4d85-9800-66adab84ee85
      access_token: eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vdWFhLnJ1bi0wNC5zbG90LTM0LnRhbnp1L
......
VxXh-uNFXDI-IaGayq9PPchfOXJAdTAbqabzfbaI287IRuS1zUUquBETeGGlQ
      token_type: bearer
      expires_in: 359
      scope: config_server_10f75029-9a8f-49b5-b02e-5e97e0c60b2a.read
      jti: 5077180e8aa149c0b44306cf76454408

5) Use curl to get the properties from config-server service with access_token retrieved in above step. The command would be like:
curl -H "Authorization: Bearer <ACCESS TOKEN>" -k https://<config-server backend app URI>/<app name>/<profile1, profile2, ...>

$ export UAA_TOKEN="eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vdWFhLnJ1bi0w ......"

$ curl -H "Authorization: Bearer $UAA_TOKEN" -k https://config-server-10f75029-9a8f-49b5-b02e-5e97e0c60b2a.cfapps.example.com/cook/cloud
{"name":"cook","profiles":["cloud"],"label":null,"version":null,"state":null,"propertySources":[{"name":"credhub-cook-cloud-master","source":{}},{"name":"ssh://[email protected]:22/var/vcap/store/mirror/00957ad15f043b124e46eb212e90c4c8/cook-config/cook.properties","source":{"cook.special":"Pickled Cactus"}}]}

$ curl -H "Authorization: Bearer $UAA_TOKEN" -k https://config-server-10f75029-9a8f-49b5-b02e-5e97e0c60b2a.cfapps.example.com/cook/cloud,production
{"name":"cook","profiles":["cloud,production"],"label":null,"version":null,"state":null,"propertySources":[{"name":"credhub-cook-cloud-master","source":{}},{"name":"credhub-cook-production-master","source":{}},{"name":"ssh://[email protected]:22/var/vcap/store/mirror/00957ad15f043b124e46eb212e90c4c8/cook-config/cook-production.properties","source":{"cook.special":"Cake a la mode"}},{"name":"ssh://[email protected]:22/var/vcap/store/mirror/00957ad15f043b124e46eb212e90c4c8/cook-config/cook.properties","source":{"cook.special":"Pickled Cactus"}}]}

2024-12-26: Update KB link to the TAS credhub one instead of Ops Manager credhub.