Creating UAA Clients for BOSH Director

Page last updated:

This topic describes the process of creating a UAA client for the BOSH Director. You must create an automation client to run BOSH from a script or set up a continuous integration pipeline.

About the BOSH CLI

This topic requires you to run commands from the Ops Manager Director using the BOSH Command Line Interface (CLI).

There are two major releases of the BOSH CLI, and the Ops Manager Director VM includes both versions. You can use either version of the BOSH CLI to interact with your deployment, using bosh commands for the old CLI and bosh2 commands for the new CLI.

For more information about the differences between the old and new versions of the BOSH CLI, see the BOSH documentation.

This topic provides example commands for both versions of the BOSH CLI. Pivotal recommends using bosh2 for compatibility with future PCF versions.

See Advanced Troubleshooting with the BOSH CLI for more information.

Local Authentication

To perform this procedure, the UAAC client must be installed on the Ops Manager virtual machine (VM).

  1. Open a terminal and SSH into the Ops Manager VM by following the instructions for your IaaS in the SSH into Ops Manager topic.

  2. Navigate to the Ops Manager Installation Dashboard and select the Ops Manager Director tile. In Ops Manager Director, click the Status tab, and copy the Ops Manager Director IP address.

  3. Using the uaac target command, target Ops Manager Director UAA on port 8443 using the IP address you copied, and specify the location of the root certificate. The default location is /var/tempest/workspaces/default/root_ca_certificate.

    $ uaac target https://OPS-DIRECTOR-IP:8443 --ca-cert \
    /var/tempest/workspaces/default/root_ca_certificate
    
    Target: https://10.85.16.4:8443
    

    Note: You can also curl or point your browser to the following endpoint to obtain the root certificate: https://OPS-MANAGER-FQDN/api/v0/security/root_ca_certificate

  4. Log in to the Ops Manager Director UAA and retrieve the owner token. Perform the following step to obtain the values for UAA-LOGIN-CLIENT-PASSWORD and UAA-ADMIN-CLIENT-PASSWORD:

    • Select the Ops Manager Director tile from the Ops Manager Installation Dashboard.
    • Click the Credentials tab, and locate the entries for Uaa Login Client Credentials and Uaa Admin User Credentials.
    • For each entry, click Link to Credential to obtain the password.
      $ uaac token owner get login -s UAA-LOGIN-CLIENT-PASSWORD
      User name:  admin
      Password:  UAA-ADMIN-CLIENT-PASSWORD
      Successfully fetched token via owner password grant. Target: https://10.85.16.4:8443 Context: admin, from client login
      Note: To obtain the password for the UAA login and admin clients, you can also curl or point your browser to the following endpoints: https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_login_client_credentials and https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials
  5. Create a new UAA Client with bosh.admin privileges.

    $ uaac client add ci --authorized_grant_types client_credentials \
    --authorities bosh.admin --secret CI-SECRET
    
    scope: uaa.none
    client_id: ci
    resource_ids: none
    authorized_grant_types: client_credentials
    autoapprove:
    action: none
    authorities: bosh.admin
    name: ci
    lastmodified: 1469727130702
    id: ci
    
  6. Set the client and secret as environment variables on the VM.

    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=ci
    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CI-SECRET
    
  7. Target or alias the BOSH environment using the client. Replace DIRECTOR-IP with the IP address of your Ops Manager Director VM.
    BOSH CLI v1

    $ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate \
    target DIRECTOR-IP
    BOSH CLI v2
    $ bosh2 alias-env MY-ENVIRONMENT-NAME -e DIRECTOR-IP \
    --ca-cert /var/tempest/workspaces/default/root_ca_certificate 

    You can now use the UAA client you created to run BOSH in automated or scripted environments, such as continuous integration pipelines.

SAML Authentication to the BOSH Director

Typically, there is no browser access to a BOSH Director in order to authenticate using SAML. Ops Manager provides an option to create UAA clients during SAML configuration so that BOSH can be automated via scripts and tooling.

  1. Select Provision an admin client in the Bosh UAA when configuring Ops Manager for SAML.

  2. After deploying Ops Manager Director (BOSH), click the Credentials tab in the Ops Manager Director tile.

  3. Click the link for the Uaa Bosh Client Credentials to get the client name and secret.

  4. Open a terminal and SSH into the Ops Manager VM. Follow the instructions for your SSH in the SSH into Ops Manager topic.

  5. Set the client and secret as environment variables on the Ops Manager VM.

    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=bosh_admin_client
    $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CLIENT_SECRET
    

  6. Target or alias the BOSH environment using the client. Replace DIRECTOR-IP with the IP address of your Ops Manager Director VM.
    BOSH CLI v1

    $ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate \
    target DIRECTOR-IP
    
    BOSH CLI v2
    $ bosh2 alias-env MY-ENVIRONMENT-NAME -e DIRECTOR-IP \
    --ca-cert /var/tempest/workspaces/default/root_ca_certificate

Create a pull request or raise an issue on the source for this page in GitHub