CreHub is integrated with VMware Tanzu Application Service (TAS) for VMs to provide secure credential management.

If "Enable Secure Service Instance Credentials" is also turned on at service broker side, Cloud Controller sends 'VCAP_SERVICES' data containing CredHub reference instead of original credential values to Diego and Diego fetches credentials from CreHub for app. 

Service binding in VCAP_SERVICES without CredHub integration:

System-Provided:
{
 "VCAP_SERVICES": {
  "p.mysql": [
   {
    "binding_name": null,
    "credentials": {
     "hostname": "q-n2s0.q-g124.bosh",
     "jdbcUrl": "jdbc:mysql://q-n2s0.q-g124.bosh:3306/service_instance_db?user=733ecc35#######8973b55481a9139d5\u0026password=nrjg###########apn\u0026useSSL=false",
     "name": "service_instance_db",
     "password": "nr#########pn",
     "port": 3306,
     "uri": "mysql://##########74948973b55481a9139d5:nrjg###########[email protected]:3306/service_instance_db?reconnect=true",
     "username": "733ecc############5481a9139d5"
    },
    "instance_name": "mysql",
    "label": "p.mysql",
    "name": "mysql",
    "plan": "db-small",
    ...
  ]
 }
}

Service binding in VCAP_SERVICES with Credhub integration:

System-Provided:
{
 "VCAP_SERVICES": {
  "p.mysql": [
   {
    "binding_name": null,
    "credentials": {
     "credhub-ref": "/c/########-e333-4d65-####-7b4e3bb6ca97/########-0e38-4e2a-####-278543459986/########-7693-####-b337-0d403d246e76/credentials"
    },
    "instance_name": "mysql",
    "label": "p.mysql",
    "name": "mysql",
    "plan": "db-small",
  ]
 }
}

This article demonstrates how to fetch the credentials manually for troubleshooting use, for example, logging into a mysql instance which is binding to an app. 

Option 1

This option requires CredHub admin client / secret for accessing CreHub. If you do not have this, see Option 2.

1. Execute `cf env YOUR_APP` to get the credhub-ref, for example as below:

    "credentials": {
     "credhub-ref": "/c/########-e333-####-8773-7b4e3bb6ca97/#######-0e38-####-b8d6-278543459986/68e53814-7693-40b8-b337-0d403d246e76/credentials"
    },

2. Follow the steps in this article article, How to access TAS's CredHub with the CredHub CLI, and login to CredHub.

3. Fetch service binding credentials from CredHub:

$ credhub get -n /c/########-e333-####-8773-7b4e3bb6ca97/########-0e38-####-b8d6-278543459986/68e53814-7693-40b8-b337-0d403d246e76/credentials
id: ########-88ba-####-9a02-bf475b3ac003
name: /c/5########-e333-####-8773-7b4e3bb6ca97/########-0e38-####-b8d6-278543459986/68e53814-7693-40b8-b337-0d403d246e76/credentials
type: json
value:
  hostname: q-n2s0.q-g131.bosh
  jdbcUrl: jdbc:mysql://q-n2s0.q-g131.bosh:3306/service_instance_db?user=68e538########403d246e76&password=bkg63tvb#########x&useSSL=false
  name: service_instance_db
  password: bk#######fsx
  port: 3306
  uri: mysql://############40b8b3370d403d246e76:#########[email protected]:3306/service_instance_db?reconnect=true
  username: 68e538147######0d403d246e76
version_created_at: "2020-05-12T09:21:37Z"

Now you can login to the MySQL instance with above credentials, please be aware of that `q-n2s0.q-g131.bosh` is the BOSH DNS hostname, it can be resolved to IP address by BOSH DNS.

Option 2

This option does not require admin access, nor does it require the CredHub CLI, however, it does require cf ssh access to the application where the service has been bound.

1. Run cf ssh <app>. Connect to the app where your service is bound.
2. Run the following command: 

   curl -H 'Content-Type: application/json' --cert /etc/cf-instance-credentials/instance.crt --key /etc/cf-instance-credentials/instance.key -d "$VCAP_SERVICES" 'https://credhub.service.cf.internal:8844/api/v1/interpolate'

The output will be VCAP_SERVICES, but with the CredHub placeholders resolved to actual values.

This works by using the application's instance ID certificate and mutual TLS to authenticate with CredHub and invoke the interpolate endpoint, which resolves all placeholders in the specified payload.

Note: This will only work if you can cf ssh into the application container, because you need the certificate to authenticate via mTLS.