When trying to setup access to Bosh director credhub the following commands are used to set the environment variables:

export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=abc123 BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=10.0.0.0 bosh
export CREDHUB_SERVER=“$BOSH_ENVIRONMENT:8844” CREDHUB_CLIENT=“$BOSH_CLIENT”  CREDHUB_SECRET=“$BOSH_CLIENT_SECRET” CREDHUB_CA_CERT=“$BOSH_CA_CERT”

Then when trying to run commands such as credhub get or maestro topology the error "Bad credentials" is returned. For example:

credhub get -n bosh_dns/tls_ca
Error getting token. Your token may have expired and could not be refreshed. Please try logging in again. [invalid_client Bad credentials]

OpsMan/BOSH

There are two most common causes for this error: wrong password or wrong username. 

When the wrong password is passed in the above export commands, the following message is showing in the bosh director uaa.log 

DEBUG --- ClientDetailsAuthenticationProvider: Failed to authenticate since password does not match stored value

When the wrong username is passed in the export command above, the following message is showing in the bosh director uaa.log

DEBUG --- ClientDetailsAuthenticationProvider: Failed to find user 'ops_manager '

as can be seen in the error, the username contains extra space before the quote. This will fail the credhub attempt to communicate with uaa and the error invalid_client Bad credentials will be returned.

Make sure the username does not contain extra characters or spaces and password is correct. This can be checked in the Bosh Director tile --> Credentials --> Bosh Commandline Credentials.