This topic tells you how to use CredHub Service Broker.

Create and Bind a Service Instance

Creating a CredHub Service Broker instance and binding it to an app creates a credential in CredHub and provides the reference to that credential in the app environment. This allows you to deploy apps that can securely access credentials for services that are not running on VMware Tanzu Application Service for VMs (TAS for VMs).

To create a service instance of the CredHub Service Broker and bind it to your app:

1. Create a CredHub Service Broker service instance by running:

   cf create-service credhub default SERVICE-INSTANCE \
   -c '{"CREDENTIAL-NAME":"CREDENTIAL-VALUE"}'
   

   Where:

   • SERVICE-INSTANCE is a name for your new service instance.
   • CREDENTIAL-NAME is the name for the credential you want to provide to services that are not running on TAS for VMs.
   • CREDENTIAL-VALUE is the value of the credential.

   Note

   You can provide multiple credentials as a JSON list. This JSON list has a maximum size of 64 KB. For example, {"MY_CREDHUB_CRED": "1234", "MY_CREDHUB_CRED2": "5678"}.

   For example:

   $ cf create-service credhub default my-credhub-instance \
   -c '{"MY_CREDHUB_CRED":"1234","MY_CREDHUB_CRED2":"5678"}'
   

2. Ensure that your app is written to use the credential that was provided through the service creation. VCAP_SERVICES is an environment variable that exists in every container.

   Access the credhub JSON object within VCAP_SERVICES to discover the credentials. For example, in Ruby you access this JSON object with ENV['VCAP_SERVICES']['credhub'].

   If you need to edit your app code, you must re-push the app before continuing.

3. Bind the CredHub Service Broker service instance to your app by running:

   cf bind-service APP-NAME SERVICE-INSTANCE
   

4. Restart your app by running:

   cf restart APP-NAME
   

5. Your app now has access to the credential created earlier. Verify that your credential is in the app environment by running the following command and locate the CredHub reference under VCAP_SERVICES in the output:

   cf env APP-NAME
   

   For example:

   $ cf env my-app
   Getting env variables for app my-app in org example / space example as admin...
   OK
   System-Provided:
   {
    "VCAP_SERVICES": {
     "credhub": [
      {
       "binding_name": null,
       "credentials": {
        "credhub-ref": "/credhub-service-broker/credhub/ac517e09-2f5e-475a-bf87-ca4275faa536/credentials"
       },
       "instance_name": "credhub",
       "label": "credhub",
       "name": "credhub",
       "plan": "default",
       "provider": null,
       "syslog_drain_url": null,
       "tags": [
        "credhub"
       ],
       "volume_mounts": []
      }
     ]
    }
   }
   

Update Credentials

To update credentials in an existing CredHub Service Broker service instance:

1. Run:

   cf update-service SERVICE-INSTANCE \
   -c '{"CREDENTIAL-NAME":"CREDENTIAL-VALUE"}'
   

   Where:

   • SERVICE-INSTANCE is the name of your existing CredHub Service Broker service instance.
   • CREDENTIAL-NAME is the name for the updated credential you want to provide to services that are not running on TAS for VMs.
   • CREDENTIAL-VALUE is the value of the credential.

   Note

   You can update multiple credentials as a JSON list. For example, {"MY_CREDHUB_CRED": "1234", "MY_CREDHUB_CRED2": "5678"}.

   For example:

   $ cf update-service SERVICE-INSTANCE \
   -c '{"MY_CREDHUB_CRED":"1234","MY_CREDHUB_CRED2":"5678"}'
   

2. Restart your app by running:

   cf restart APP-NAME