This topic describes how to create a UAA client for the BOSH Director. You must create an automation client to run BOSH from a script or set up a continuous integration pipeline.

This topic assumes you are using BOSH CLI v2+.

To create an automation client, do one of the following:

• Local authentication: When using Internal Authentication, use the existing admin client to manually create an automation client with the correct privileges.

• Provision admin client: When setting up SAML, LDAP, or OIDC authentication, ensure that VMware Tanzu Operations Manager provisions an admin client.

Local authentication

To complete this procedure, the UAAC client must be installed on the Tanzu Operations Manager virtual machine (VM).

1. Open a terminal and SSH into the Tanzu Operations Manager VM by following the instructions for your IaaS in Log into the Tanzu Operations Manager VM with SSH.

2. Go to the Tanzu Operations Manager Installation Dashboard and click the BOSH Director tile. In BOSH Director, click the Status tab, and record the IP address.

3. Using the uaac target command, target BOSH Director UAA on port 8443 using the IP address you copied, and specify the location of the root certificate. The default location is /var/tempest/workspaces/default/root_ca_certificate.

   $ uaac target https://BOSH-DIRECTOR-IP:8443 --ca-cert \
   /var/tempest/workspaces/default/root_ca_certificate
   
   Target: https://10.85.16.4:8443
   

   Where BOSH-DIRECTOR-IP is the IP you recorded in the Status tab of the BOSH Director.

   You can also curl or point your browser to the following endpoint to obtain the root certificate: https://OPS-MANAGER-FQDN/api/v0/security/root_ca_certificate

4. Log in to the BOSH Director UAA and retrieve the owner token. Complete the following steps to obtain the values for UAA-LOGIN-CLIENT-PASSWORD and UAA-ADMIN-CLIENT-PASSWORD:

   1. Select the BOSH Director tile on the Tanzu Operations Manager Installation Dashboard.
   2. Click the Credentials tab, and record the entries for Uaa Login Client Credentials and Uaa Admin User Credentials.

   3. For each entry, click Link to Credential to obtain the password.

      $ uaac token owner get login -s UAA-LOGIN-CLIENT-PASSWORD
      User name:  admin
      Password:  UAA-ADMIN-CLIENT-PASSWORD
      Successfully fetched token via owner password grant.
      Target: https://10.85.16.4:8443
      Context: admin, from client login
      

   To obtain the password for the UAA log in and admin clients, you can also curl or point your browser to the following endpoints: https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_login_client_credentials and https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials.

5. Create a new UAA Client with bosh.admin privileges.

   $ uaac client add ci --authorized_grant_types client_credentials \
   --authorities bosh.admin --secret CI-SECRET
   
   scope: uaa.none
   client_id: ci
   resource_ids: none
   authorized_grant_types: client_credentials
   autoapprove:
   action: none
   authorities: bosh.admin
   name: ci
   lastmodified: 1469727130702
   id: ci
   

6. Set the client and secret as environment variables on the VM.

   ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=ci
   ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CI-SECRET
   

7. Set an alias for the BOSH Director environment.

   bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
   --ca-cert /var/tempest/workspaces/default/root_ca_certificate
   

   You can now use the UAA client you created to run BOSH in automated or scripted environments, such as continuous integration pipelines.

Provision admin client

Tanzu Operations Manager provides an option to create UAA clients during SAML, LDAP, or OIDC configuration so that operators can use scripts and tooling to automate BOSH.

1. When configuring Tanzu Operations Manager for SAML, LDAP, or OIDC, select Provision an admin client in the Bosh UAA.

2. After deploying BOSH Director (BOSH), click the Status tab and record the IP address.

3. In the BOSH Director tile, click the Credentials tab.

4. Click the link for the Uaa Bosh Client Credentials to record the client name and secret.

5. Open a terminal and SSH into the Tanzu Operations Manager VM. For more information, see Log into the Tanzu Operations Manager VM with SSH.

6. Set the client and secret as environment variables on the Tanzu Operations Manager VM.

   export BOSH_CLIENT=bosh_admin_client
   export BOSH_CLIENT_SECRET=UAA-BOSH-CLIENT-SECRET
   

   Where UAA-BOSH-CLIENT-SECRET is the client secret you recorded in an earlier step.

   For example:

   $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=bosh_admin_client
   $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=aBcDeFGhijKabdsadfdfdf
   

7. Set an alias for the BOSH Director environment.

   bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
   --ca-cert /var/tempest/workspaces/default/root_ca_certificate
   

   Where BOSH-DIRECTOR-IP is the IP address you recorded in the Status tab of the BOSH Director.