How to perform a password reset for existing PKS API user in Enterprise PKS

Products

VMware Cloud PKS

Issue/Introduction

This article provides steps to reset the password for an existing Enterprise PKS API user.

Environment

VMware PKS 1.x

Resolution

Login to the PKS client VM where the UAA cli can be run.
Issue a command similar to the following to connect to UAA on the PKS VM:

uaac target https://<PKS-API-hostname[FQDN]>:8443 --skip-ssl-validation

Retrieve the UAA admin password from Ops Manager via the Enterprise PKS Tile → Credentials page, click on the Link to Credential link next to Pks Uaa Management Admin Client, copy the value next to "secret":
Issue a command similar to the following to authenticate and obtain an access token for theadmin client from the UAA server.

uaac token client get admin -s <Pks Uaa Management Admin Client secret from Step 3>

Issue the uaac contexts command to display the users and applications authorized by UAA on the PKS VM, and the permissions granted to each user and application:

Note: You will see output similar to the following:

[0]*[https://pks.corp.local:8443]
ca_cert: /home/ubuntu/root_ca_certificate

[0]*[admin]
client_id: admin
access_token: eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vcGtzLmNvcnAubG9jYWw6ODQ0My90b2tlbl9rZXlzIiwia2lkIjoia2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJiOTIxYWUzODhlMTQ0YjUzYjg2Y2VhODdiZDllYzcyZCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwicGtzLmNsdXN0ZXJzLmFkbWluLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsInBrcy5jbHVzdGVycy5tYW5hZ2UiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJwa3MuY2x1c3RlcnMuYWRtaW4iLCJzY2ltLnJlYWQiXSwic2NvcGUiOlsiY2xpZW50cy5yZWFkIiwicGtzLmNsdXN0ZXJzLmFkbWluLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsInBrcy5jbHVzdGVycy5tYW5hZ2UiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJwa3MuY2x1c3RlcnMuYWRtaW4iLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJjaWQiOiJhZG1pbiIsImF6cCI6ImFkbWluIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiIxN2ZjOGRkNCIsImlhdCI6MTU3OTc0NjQ0OSwiZXhwIjoxNTc5Nzg5NjQ5LCJpc3MiOiJodHRwczovL3Brcy5jb3JwLmxvY2FsOjg0NDMvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiIsInBrcy5jbHVzdGVycy5hZG1pbiIsInBrcy5jbHVzdGVycyJdfQ.oOYi5bSVxYQeP7FhMvzNBCjoPVxjgMJwSQ4oOnNXc9SOKHPfULqWk5oqCjlMQLSfyZ-Co3j0NzKG9grGSrwnuv-rydkEqc5bM2RUP-273-tqHRDUSN4pvqOqIhgWNplZ889BHnjF5KmkicbC2zfzobF3-aBw4QSFMygaQhEzOlLjdjaK8HapXMaMI9YV7EAqmOPxNeD6Z-rGz4jPqk1Ea5flaWjEz1Rn6cQP-NirupAlJS9Oc1-wAioad3yQwpziyXGCX8M7JzqT2helJjYGJU8_g1CZ4ZGV0naM8s4L2gze2scY02eSRayahKaa5vw-9Kl4Q5tkHyy4AjwTx9oN6A
token_type: bearer
expires_in: 43199
scope: clients.read pks.clusters.admin.read clients.secret pks.clusters.manage clients.write uaa.admin clients.admin scim.write pks.clusters.admin password.write scim.read
jti: b921ae388e144b53b86cea87bd9ec72d

Note: In the output search in the scope section of the client_id: admin user for password.write. The value password.write represents sufficient permissions to change passwords.

If the admin user lacks permissions to change passwords, add the permissions by following Steps 7-9. Otherwise, skip to step 10.
Issue a commands similar to the following to add the password.write privilege:

uaac client update admin --scope "EXISTING-PERMISSIONS password.write"
uaac client update admin --authorities "EXISTING-PERMISSIONS password.write"

Note: Replace EXISTING-PERMISSIONS with the current contents of the scope section from uaac contexts (from Step 5).

Issue the following command to delete the local token:

uaac token delete

Issue a command similar to the following to obtain an updated access token from the UAA (repeat Step 4):

uaac token client get admin -s <Pks Uaa Management Admin Client secret from Step 3>

Issue a command similar to the following to change an existing user's password:

uaac password set <username> -p <new_password>

Additional Information

Creating and Managing Users with the UAA CLI (UAAC) https://docs.pivotal.io/platform/application-service/2-7/uaa/uaa-user-management.html