Using CredHub Service Broker
This topic describes how to use CredHub Service Broker.
Create and Bind a Service Instance
Creating a Credhub Service Broker instance and binding it to an app creates a credential in CredHub and provides the reference to that credential in the app environment. This allows developers to deploy apps that can securely access credentials for services that are not running on VMware Tanzu Application Service for VMs (TAS for VMs).
To create a service instance of the CredHub Service Broker and bind it to your app, perform the following steps:
Create a CredHub Service Broker service instance. Run the following command:
cf create-service credhub default SERVICE-INSTANCE \ -c '{"CREDENTIAL-NAME":"CREDENTIAL-VALUE"}'
Where:
SERVICE-INSTANCE
is a name for your new service instance.CREDENTIAL-NAME
is the name for the credential you want to provide to services that are not running on TAS for VMs.CREDENTIAL-VALUE
is the value of the credential.Note: You can provide multiple credentials as a JSON list. This JSON list has a maximum size of 64 KB. For example,
{"MY_CREDHUB_CRED": "1234", "MY_CREDHUB_CRED2": "5678"}
.
For example:
$ cf create-service credhub default my-credhub-instance \ -c '{"name":"MY_CREDHUB_CRED","value":"ABCDEFGHIJK123456789"}'
Ensure that your app is written to use the credential that was provided through the service creation.
VCAP_SERVICES
is an environment variable that exists in every container. Access thecredhub
JSON object withinVCAP_SERVICES
to discover the credentials. For example, in Ruby you would access this JSON object withENV['VCAP_SERVICES']['credhub']
.
If you need to modify your app code, you must re-push the app before continuing.Bind the CredHub Service Broker service instance to your app. Run the following command:
cf bind-service MY-APP SERVICE-INSTANCE
Restart your app. Run the following command:
cf restart MY-APP
Your app should now have access to the credential created in step 1. To verify that your credential is in the app environment, run the following command and locate the CredHub reference under
VCAP_SERVICES
in the output:cf env MY-APP
For example:
$ cf env my-app Getting env variables for app my-app in org example / space example as admin... OK System-Provided: { "VCAP_SERVICES": { "credhub": [ { "binding_name": null, "credentials": { "credhub-ref": "/credhub-service-broker/credhub/ac517e09-2f5e-475a-bf87-ca4275faa536/credentials" }, "instance_name": "credhub", "label": "credhub", "name": "credhub", "plan": "default", "provider": null, "syslog_drain_url": null, "tags": [ "credhub" ], "volume_mounts": [] } ] } }
Update Credentials
Perform the following steps to update the credentials in a CredHub Service Broker service instance:
Create a CredHub Service Broker service instance. Run the following command:
cf update-service SERVICE-INSTANCE \ -c '{"CREDENTIAL-NAME":"CREDENTIAL-VALUE"}'
Where:
SERVICE-INSTANCE
is the name of your existing CredHub Service Broker service instance.CREDENTIAL-NAME
is the name for the updated credential you want to provide to services that are not running on TAS for VMs.CREDENTIAL-VALUE
is the value of the credential.Note: You can update multiple credentials as a JSON list. For example,
{"MY_CREDHUB_CRED": "1234", "MY_CREDHUB_CRED2": "5678"}
.
For example:
$ cf update-service SERVICE-INSTANCE \ -c '{"name":"MY_CREDHUB_CRED","value":"ABCDEFGHIJK123456789"}'
Restart your app. Run the following command:
cf restart MY-APP