LATEST VERSION: 1.5 - RELEASE NOTES
Spring Cloud Services v1.5

Service Instance Access

See below for information about directly accessing the Spring Boot backing applications deployed for each Spring Cloud Services service instance.

Get Access Token for Direct Requests to a Service Instance

To make requests directly against a Config Server service instance’s Spring Cloud Config Server backing application or a Service Registry service instance’s Spring Cloud Netflix Eureka backing application, you must obtain an OAuth 2.0 token. See the following sections for more information.

For the Config Server /encrypt Endpoint

To access the Config Server’s /encrypt endpoint, you must obtain a password credentials token. You can do this using the cf oauth command, as described below.

Run cf env, giving the name of an application that is bound to the service instance:

$ cf services
Getting services in org myorg / space development as admin...
OK

name             service           plan        bound apps   last operation
config-server    p-config-server   standard    cook         create succeeded

$ cf env cook
Getting env variables for app cook in org myorg / space development as admin...
OK

System-Provided:
{
 "VCAP_SERVICES": {
  "p-config-server": [
   {
    "credentials": {
     "access_token_uri": "https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token",
     "client_id": "p-config-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73",
     "client_secret": "rU7dMUw6bQjR",
     "uri": "https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com"
    },
[...]

Copy the value of credentials.uri. Then use the cf oauth-token command to get the token for the current session. The following example uses curl to access the /encrypt endpoint of a Config Server service instance (see the Encryption and Encrypted Values section of the Configuring with Git topic):

$ curl -H "Authorization: $(cf oauth-token)" https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com/encrypt -d 'Value to be encrypted'
15f826dd703c4a3e9e1d64a5827d3b1f1584a1173c03c42d87e7480dddb07d86e009c2d78a68eee610f7f55c66894907

For All Other Config Server Endpoints and for Service Registry Endpoints

To access Config Server endpoints other than /encrypt or to access Service Registry endpoints, you must obtain a client credentials token. You can do this using cURL, as described below.

Note: The following procedure uses the jq command-line JSON processing tool.

Run cf env, giving the name of an application that is bound to the service instance:

$ cf services
Getting services in org myorg / space development as admin...
OK

name             service           plan        bound apps   last operation
config-server    p-config-server   standard    cook         create succeeded

$ cf env cook
Getting env variables for app cook in org myorg / space development as admin...
OK

System-Provided:
{
 "VCAP_SERVICES": {
  "p-config-server": [
   {
    "credentials": {
     "access_token_uri": "https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token",
     "client_id": "p-config-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73",
     "client_secret": "rU7dMUw6bQjR",
     "uri": "https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com"
    },
[...]

Then run the following Bash script, which fetches a token and uses the token to access an endpoint on a service instance backing application:

TOKEN=$(curl -k [ACCESS_TOKEN_URI] -u [CLIENT_ID]:[CLIENT_SECRET] -d grant_type=client_credentials | jq -r .access_token); \
curl -k -H "Authorization: bearer $TOKEN" -H "Accept: application/json" [URI]/[ENDPOINT] | jq

This script retrieves an access token using an OAuth 2 credential exchange with Cloud Foundry’s UAA service. After being given an authorization token, it uses this token to make a call to the service instance’s API endpoints.

In this script, replace the following placeholders with values from the cf env command above:

  • [ACCESS_TOKEN_URI] with the value of p-config-server.credentials.access_token_uri
  • [CLIENT_ID] with the value of p-config-server.credentials.client_id
  • [CLIENT_SECRET] with the value of p-config-server.credentials.client_secret
  • [URI] with the value of p-config-server.credentials.uri

Replace [ENDPOINT] with the relevant endpoint. For example:

  • application/profile to retrieve configuration from a Config Server service instance
  • eureka/apps to retrieve the registry from a Service Registry service instance

Using CredHub for Service Instance Credentials

If the Spring Cloud Services tile has been configured to use the Pivotal Application Service (PAS) CredHub to secure service instance credentials, an application’s VCAP_SERVICES environment variable will not include credentials for bound service instances. The environment variable will instead contain a CredHub reference for the service instance’s credentials, as in the following example:

{
 "VCAP_SERVICES": {
  "p-config-server": [
   {
    "credentials": {
     "credhub-ref": "/c/p-spring-cloud-services/p-config-server/019e0b47-b06a-4291-a8b8-4a2a90c645f5/credentials-json"
    },
    "label": "p-config-server",
    "name": "config-server",
    "plan": "standard",
    "provider": null,
    "syslog_drain_url": null,
    "tags": [
     "configuration",
     "spring-cloud"
    ],
    "volume_mounts": []
   }
  ]
 }
}

Service instance credentials secured using the PAS CredHub are securely provided to the bound application at runtime. For more information about CredHub, see the documentation.

Create a pull request or raise an issue on the source for this page in GitHub