How to get a token in order to use it in the curl command instead of credhub api
search cancel

How to get a token in order to use it in the curl command instead of credhub api

book

Article ID: 298123

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

In certain automation or scripting scenarios, direct interaction with the CredHub API may be impractical or undesirable due to dependency constraints, access limitations, or the need for lightweight tooling. To streamline operations—especially in CI/CD pipelines, audit scripts, or infrastructure validation workflows—it's often preferable to retrieve an authentication token that can be used directly in a curl command, bypassing the need for full CredHub API integration.

This issue explores the process of obtaining such a token securely and reliably, enabling authenticated curl requests to protected endpoints. The goal is to:

  • Minimize external dependencies and simplify token acquisition.

  • Ensure compatibility with shell-based workflows and minimal tooling environments.

  • Maintain auditability and security best practices in token handling.

The solution should support use cases such as:

  • Fetching secrets or credentials via curl with a bearer token.

  • Integrating token-based access into automated scripts.

  • Avoiding direct use of CredHub CLI or API when not feasible.

Environment

Product Version: 2.9

Resolution

Checklist:

In order to access BOSH CredHub, we have to retrieve the client_id and its secret.

1) In the Ops Manager Installation Dashboard, click the BOSH Director tile.

2) Click the Credentials tab.

3) In the BOSH Director section, click the link to the BOSH Command line Credentials. Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.

For example:

{"credential":"BOSH_CLIENT=ops_manager
BOSH_CLIENT_SECRET=abCdE1####
BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
BOSH_ENVIRONMENT=10.###.###.5 bosh "}

The BOSH_CLIENT is the BOSH CredHub client name and the BOSH_CLIENT_SECRET is the BOSH CredHub client secret.

4) Retrieve the bearer token with the command:
"curl https://BOSH_DIRECTOR:8443/oauth/token -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: application/json' -d 'client_id=BOSH_CLIENT&client_secret=BOSH_CLIENT_SECRET&grant_type=client_credentials' -ks"

For example:

$  curl 'https://10.###.###.12:8443/oauth/token' -X POST     -H 'Content-Type: application/x-www-form-urlencoded'     -H 'Accept: application/json'     -d 'client_id=ops_manager&client_secret=MN8b7x####&grant_type=client_credentials' -ks|jq .
{
  "access_token": "eyJhbGciOiJSUzI1####",
  "token_type": "bearer",
  "expires_in": 599,
  "scope": "uaa.resource credhub.write credhub.read clients.admin bosh.admin",
  "jti": "42aa6b02####"
}


5) Once we've gotten the token, we can access BOSH credhub with it.
For example:

$ curl https://10.###.###.12:8844/api/v1/data?name-like=dns -X GET  -H 'Content-Type: application/json'  -H 'Authorization: Bearer eyJhbGciOiJSUzI1####'  -ks|jq .
{
  "credentials": [
    {
      "version_created_at": "2020-04-03T07:53:50Z",
      "name": "/dns_api_client_tls"
    },
    {
      "version_created_at": "2020-04-03T07:53:50Z",
      "name": "/dns_api_server_tls"
    },
    {
      "version_created_at": "2020-04-03T07:53:48Z",
      "name": "/bosh_dns_health_client_tls"
    },
    {
      "version_created_at": "2020-04-03T07:53:47Z",
      "name": "/bosh_dns_health_server_tls"
    },
    {
      "version_created_at": "2019-05-07T14:24:27Z",
      "name": "/dns_api_tls_ca"
    },
    {
      "version_created_at": "2019-05-07T14:24:26Z",
      "name": "/bosh_dns_health_tls_ca"
    },
    {
      "version_created_at": "2019-05-07T14:24:26Z",
      "name": "/opsmgr/bosh_dns/tls_ca"
    }
  ]
}



Powered by Wolken Software