The master user password can be used by database administrators like managing user access, troubleshooting, optimisations, running DDL require superuser privilege.
Please note that the master user password is not used by applications bounded to Cloud Service Broker (CSB) service instances.

We recommend our customers uses AWS secrets manager, via the option use_managed_admin_password then AWS gives them a UI for fetching the password.

Please note if using use_managed_admin_password, the first deploy may fail on the first attempt, but should succeed on the second, this is also mentioned on CSB's doc.

This KB gives you steps on how to retrieve master user password without using AWS secret manager

Cloud Service Broker for AWS v1.13.0

Here are steps on how you can retrieve master user password.

1. Find the instance guid of the service you want the admin password for.

cf service <SERVICE_NAME> --guid

2. Login with bosh CLI 

3. SSH into any of the vms under cloud-service-broker-aws-#### deployment

bosh -d cloud-service-broker-aws-#### ssh <any-vm>

4. Find the host name, user name and password of the state database the cloud-service-broker uses on a config file under /var/vcap/jobs/csb-app/config/config.json

Run

cat /var/vcap/jobs/csb-app/config/config.json

Unfortunately, there won't be a json parser on the vm, but the required data can be found at the following paths in the resulting json.

db/host
db/user
db/password

5. Set environment variables for host, user, password

From within the bosh vm ssh session, run:

export DB_HOST=<HOST_FROM_STEP4>
export DB_USERNAME=<USERNAME_FROM_STEP4>
export DB_PASSWORD=<PASSWORD_FROM_STEP4>

5. Set database encryption (optional)

You can check if you are using database encryption by checking the manifest using bosh cli

bosh -d cloud-service-broker-aws-#### manifest

If you can see similar config below means you have configured database encryption when you installed CSB

encryption:

            enabled: true

            passwords:

            - label: passwordlabel

              password:

                secret: "((/opsmgr/cloud-service-broker-aws-#####/encryption_passwords/0/password.value))"

              primary: true

if you are using db encryption. 

bosh -d cloud-service-broker-aws-#### ssh <VM-USED-IN-STEP3>

export ENCRYPTION_PASSWORDS='[{"label":"passwordlabel","password":{"secret":"<yourDatabasEncryptionPassword"},"primary":true}]'

export ENCRYPTION_ENABLED=true 

6. Get the terraform state

From within the same vm from Step 3

Run  

/var/vcap/packages/csb/bin/csb tf dump tf:<SERVICE_GUID_FROM_STEP_1>: --only-state

8. Look through the output for the username/password.

Generally will be outputs->password and outputs->username, but the specific key inside the outputs might change for some service offerings. A json parser will help you locate it.

Please note this is can be used during troubleshooting purposes. Recommended is to configure CSB for AWS to use AWS secret manager