Every time you do a BOSH login, the BOSH CLI uses the bosh_cli client. By default, the bosh_cli scopes are set and contain Bosh.admin. Here are the steps to create a user with read-only authorities:

1. Target the UAA for BOSH Director. For more details about this step, refer to steps 1-4 listed here: Creating UAA clients for the BOSH Director

uaac target https://BOSH-DIRECTOR-IP:8443 --ca-cert \
/var/tempest/workspaces/default/root_ca_certificate

2. Create a client that has readonly authorities:

ubuntu@pivotal-ops-manager:~$ uaac client add readonly-new --name readonly-new --authorities "bosh.read, bosh.*.read" --scope "uaa.none" --authorized_grant_types "client_credentials"
New client secret:  changeme
Verify new client secret:  changeme
  scope: uaa.none
  client_id: readonly-new
  resource_ids: none
  authorized_grant_types: client_credentials
  autoapprove: 
  authorities: bosh.read bosh.*.read
  name: readonly-new
  lastmodified: 1487733329676
  id: readonly-new

3. Login with BOSH CLI and the new user readonly-new where BOSH_ENVIRONMENT is the IP of the BOSH director VM.

ubuntu@pivotal-ops-manager:~$ export BOSH_CLIENT=readonly-new BOSH_CLIENT_SECRET=changeme BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=10.213.49.70 bosh

4. Confirm it does not allow the new read-only user to restart a VM:

ubuntu@pivotal-ops-manager:~$ bosh -d p-mysql-2b77233f801ee90f2e19 restart mysql /0 
Acting as client 'readonly-new' on deployment 'p-mysql-2b77233f801ee90f2e19' on 'p-bosh'
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
You are about to restart mysql/0

Detecting deployment changes
----------------------------
Restart mysql/0? (type 'yes' to continue): yes

Performing 'restart mysql/0'...
Error 600000: Require one of the scopes: bosh.admin, bosh.f795f65a-ac8f-40a4-a8b9-e9f14d898578.admin

For more information on the scope of the read-only user and admin user, please refer Managing Permissions with UAA Scopes.