CloudFoundry CLI - Get bound Credentials

Question

Is there a way to get bound credentials from PCF CLI? For instance, I want to get database credentials.

More Details:

When you use services like Redis, cloudSQL, etc, in manifest.yml file, pcf binds those services and generates credentials, and the applications use them. If I want to get the creds to use locally, I need to login to PCF and go to services to grab those creds. Instead I want to be able to get these creds from cli, without having to login to pcf UI. cf env <service> shows VCAP_SERVICES json. But for Databases it does not show the credentials. It shows for Redis, though. For databases, I have to go to Web, and services, and go to database service to get the credentials.

https://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES — jonrsharpe, Jul 30 '21 at 17:01
That does not help. I know I can get all env variables. But it does not show database creds. — Kevin Rave, Jul 30 '21 at 20:49
Well that's the env var service bindings are _supposed_ to go in, so if something's not showing up there you'll have to give a bit more information. — jonrsharpe, Jul 30 '21 at 20:51
For some reason, db credentials are concealed from display. Only redis instance shows the creds — Kevin Rave, Jul 30 '21 at 21:15
I agree, need more info. Posting an answer, but it's just a guess. — Daniel Mikusa, Aug 01 '21 at 18:40
If the answer below doesn't work, please post an example of what you see with `cf env`, redacting any sensitive info, of course. — Daniel Mikusa, Aug 04 '21 at 18:06

score 1 · Answer 1 · answered Aug 01 '21 at 18:47

This is a bit of a guess given the lack of detail, however, it is increasingly common for services to store their credentials in CredHub instead of having them in Cloud Controller. This results in seeing a placeholder entry in VCAP_SERVICES if you look at the environment variables as suggested in the comments.

If that is what you're seeing, you need to go one step further to retrieve the credentials (which is the exact point of the service doing this, it makes it harder to compromise a service's credentials).

cf ssh into your app container
Run curl -vv -i -H 'Content-Type: application/json' --cert /etc/cf-instance-credentials/instance.crt --key /etc/cf-instance-credentials/instance.key -d "$VCAP_SERVICES" 'https://credhub.service.cf.internal:8844/api/v1/interpolate' | jq .

This may seem like magic, so I'll break it down.

a.) It's using curl to query the /api/v1/interpolate endpoint of CredHub. This API takes in the contents of VCAP_SERVICES with placeholders and returns a version without placeholders. b.) -d "$VCAP_SERVICES" will set the body of the request to the contents of $VCAP_SERVICES. This is exactly what the API call expects. c.) You are telling curl to perform mutual TLS using the cert & keys at /etc/cf-instance/credentials.key & /etc/cf-instance/credentials.crt. This allows you to authenticate with Credhub. d.) The result is JSON, so jq . just pretty-prints the response. It's optional.

You could implement the same in your programming language of choice using an HTTP client configured in the same way. You must do this from inside the container though, because CredHub is only available from there and also because that's the only place where you can get the cert/key required to authenticate to CredHub.

When I tried to login to app with `cf ssh `, I get `Error opening SSH connection: You are not authorized to perform the requested action.`. Not sure if I need any additional privileges. — Kevin Rave, Aug 05 '21 at 19:23
You may need additional permissions. It depends. You can try https://cli.cloudfoundry.org/en-US/v7/enable-ssh.html to enable it. You might also need to allow it at the space level, http://cli.cloudfoundry.org/en-US/v7/allow-space-ssh.html. Give those a try. If it doesn't help, you'd need to chat with your platform operations team and see if they are preventing it. It's possible for them to block ssh access as well. — Daniel Mikusa, Aug 09 '21 at 15:53

CloudFoundry CLI - Get bound Credentials

1 Answers1