How to retrieve service credentials for a service instance bind to an application
search cancel

How to retrieve service credentials for a service instance bind to an application

book

Article ID: 377048

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

This article demonstrates how to locate and retrieve the service credentials and connection information for a service instance that is bound to an application running on Cloud Foundry. This is useful if you need to connect directly to the service.

Environment

Tanzu Application Service 

Resolution

We following are the options to retrieve the service credentials for a cloud foundry service instance.

The client credentials are the client_id and client_secret.

 

Option #1: Retrieve credentials using credhub CLI

1. Open a terminal session and login to Credhub following Scenario 2 in   How to login and access Credhub in Tanzu Application Service (TAS).

2. Open another terminal session.

3. Login with your cf credentials.

4. Target the organization and space.

5. Retrieve the env variable VCAP_SERVICES for the application using "cf env <APP_NAME> ".

6. Locate the credential path under the "credentials.credhub-ref" under for service you wish to retrieve the credential for

Example for a config-server service instance

$ cf env cook

Getting env variables for app cook in org test / space test as admin...
System-Provided:
VCAP_SERVICES: {
  "p.config-server": [
    {
      "binding_guid": "87c80682-827a-4e69-a29d-869903daa0cf",
      "binding_name": null,
      "credentials": {
        "credhub-ref": "/c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/87c80682-827a-4e69-a29d-869903daa0cf/credentials-json"
      },
      "instance_guid": "8acb8291-547e-41f8-9ade-05438101f53c",
      "instance_name": "cook-config-server",
      "label": "p.config-server",
      "name": "cook-config-server",
      "plan": "standard",
      "provider": null,
      "syslog_drain_url": null,
      "tags": [
        "configuration",
        "spring-cloud"
      ],
      "volume_mounts": []
    }
  ]
}

 

7. Using the bosh terminal, retrieve the credential using "credhub get".

Example:

$ credhub get -n /c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/87c80682-827a-4e69-a29d-869903daa0cf/credentials-json


id: d9edfbfb-b769-42f9-b33a-236925043640
name: /c/p.spring-cloud-services-scs-service-broker/e9ca123d-c312-4f57-88a4-aef09e887f83/87c80682-827a-4e69-a29d-869903daa0cf/credentials-json
type: json
value:
  access_token_uri: https://uaa.system.example.com:443/oauth/token
  client_id: config-client-BINDING_GUID
  client_secret: mysecret
  uri: https://config-server-8acb8291-547e-41f8-9ade-05438101f53c.cfapps.example.com
version_created_at: "2024-09-10T20:49:07Z"

8. Take note of the client_id and client_secret for the desired service instance.

 

 

Option #2: Retrieve credentials from the app container

1. Login to the application using "cf ssh". If cf ssh is disabled, Login to the application as root (this requires an account with admin role).

Example:

$ cf ssh cook

vcap@56d0c2a9-2dd4-4b86-6c1d-6f3a:~$

2. Execute the command.

curl -i -H 'Content-Type: application/json' --cert /etc/cf-instance-credentials/instance.crt --key /etc/cf-instance-credentials/instance.key -d "$VCAP_SERVICES" 'https://credhub.service.cf.internal:8844/api/v1/interpolate' | sed -n '/{/,/}/p' | jq -r

Example:

$ curl -i -H 'Content-Type: application/json' --cert /etc/cf-instance-credentials/instance.crt --key /etc/cf-instance-credentials/instance.key -d "$VCAP_SERVICES" 'https://credhub.service.cf.internal:8844/api/v1/interpolate' | sed -n '/{/,/}/p' | jq -r


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1203    0   674  100   529   4519   3546 --:--:-- --:--:-- --:--:--  8128
{
  "p.config-server": [
    {
      "label": "p.config-server",
      "provider": null,
      "plan": "standard",
      "name": "cook-config-server",
      "tags": [
        "configuration",
        "spring-cloud"
      ],
      "instance_guid": "8acb8291-547e-41f8-9ade-05438101f53c",
      "instance_name": "cook-config-server",
      "binding_guid": "87c80682-827a-4e69-a29d-869903daa0cf",
      "binding_name": null,
      "credentials": {
        "client_secret": "mysecret",
        "uri": "https://config-server-8acb8291-547e-41f8-9ade-05438101f53c.cfapps.example.com",
        "client_id": "config-client-BINDING_GUID",
        "access_token_uri": "https://uaa.system.example.com:443/oauth/token"
      },
      "syslog_drain_url": null,
      "volume_mounts": []
    }
  ]
}


 

3. Take note of the client_id and client_secret for the desired service instance.

 

Powered by Wolken Software