This topic describes how to create a UAA client for the BOSH Director. You must create an automation client to run BOSH from a script or set up a continuous integration pipeline.
This topic assumes you are using BOSH CLI v2+.
To create an automation client, do one of the following:
Local authentication: When using Internal Authentication, use the existing admin client to manually create an automation client with the correct privileges.
Provision admin client: When setting up SAML, LDAP, or OIDC authentication, ensure that VMware Tanzu Operations Manager provisions an admin client.
To complete this procedure, the UAAC client must be installed on the Tanzu Operations Manager virtual machine (VM).
Open a terminal and SSH into the Tanzu Operations Manager VM by following the instructions for your IaaS in Log into the Tanzu Operations Manager VM with SSH.
Go to the Tanzu Operations Manager Installation Dashboard and click the BOSH Director tile. In BOSH Director, click the Status tab, and record the IP address.
Using the uaac target
command, target BOSH Director UAA on port 8443
using the IP address you copied, and specify the location of the root certificate. The default location is /var/tempest/workspaces/default/root_ca_certificate
.
$ uaac target https://BOSH-DIRECTOR-IP:8443 --ca-cert \
/var/tempest/workspaces/default/root_ca_certificate
Target: https://10.85.16.4:8443
Where BOSH-DIRECTOR-IP
is the IP you recorded in the Status tab of the BOSH Director.
You can also curl or point your browser to the following endpoint to obtain the root certificate: https://OPS-MANAGER-FQDN/api/v0/security/root_ca_certificate
Log in to the BOSH Director UAA and retrieve the owner token. Complete the following steps to obtain the values for UAA-LOGIN-CLIENT-PASSWORD
and UAA-ADMIN-CLIENT-PASSWORD
:
For each entry, click Link to Credential to obtain the password.
$ uaac token owner get login -s UAA-LOGIN-CLIENT-PASSWORD
User name: admin
Password: UAA-ADMIN-CLIENT-PASSWORD
Successfully fetched token via owner password grant.
Target: https://10.85.16.4:8443
Context: admin, from client login
To obtain the password for the UAA log in and admin clients, you can also curl or point your browser to the following endpoints: https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_login_client_credentials
and https://OPS-MANAGER-FQDN/api/v0/deployed/director/credentials/uaa_admin_user_credentials
.
Create a new UAA Client with bosh.admin
privileges.
$ uaac client add ci --authorized_grant_types client_credentials \
--authorities bosh.admin --secret CI-SECRET
scope: uaa.none
client_id: ci
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
action: none
authorities: bosh.admin
name: ci
lastmodified: 1469727130702
id: ci
Set the client and secret as environment variables on the VM.
ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=ci
ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=CI-SECRET
Set an alias for the BOSH Director environment.
bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate
You can now use the UAA client you created to run BOSH in automated or scripted environments, such as continuous integration pipelines.
Tanzu Operations Manager provides an option to create UAA clients during SAML, LDAP, or OIDC configuration so that operators can use scripts and tooling to automate BOSH.
When configuring Tanzu Operations Manager for SAML, LDAP, or OIDC, select Provision an admin client in the Bosh UAA.
After deploying BOSH Director (BOSH), click the Status tab and record the IP address.
In the BOSH Director tile, click the Credentials tab.
Click the link for the Uaa Bosh Client Credentials to record the client name and secret.
Open a terminal and SSH into the Tanzu Operations Manager VM. For more information, see Log into the Tanzu Operations Manager VM with SSH.
Set the client and secret as environment variables on the Tanzu Operations Manager VM.
export BOSH_CLIENT=bosh_admin_client
export BOSH_CLIENT_SECRET=UAA-BOSH-CLIENT-SECRET
Where UAA-BOSH-CLIENT-SECRET
is the client secret you recorded in an earlier step.
For example:
$ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT=bosh_admin_client $ ubuntu@ip-10-0-0-12:~$ export BOSH_CLIENT_SECRET=aBcDeFGhijKabdsadfdfdf
Set an alias for the BOSH Director environment.
bosh alias-env MY-ENVIRONMENT-NAME -e BOSH-DIRECTOR-IP \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate
Where BOSH-DIRECTOR-IP
is the IP address you recorded in the Status tab of the BOSH Director.