CLI is not able to authenticate with Director UAA Client ID and Secret

[ljfranklin]

Output from Golang CLI:

BOSH_CLIENT=foo BOSH_CLIENT_SECRET=<SECRET> bosh-go deployments

Using environment '<ENV>' as user 'director'

Finding deployments:
  Director responded with non-successful status code '401' response 'Not authorized: '/deployments'
'

Exit code 1

Output from Ruby CLI:

BOSH_CLIENT=foo BOSH_CLIENT_SECRET=<SECRET> bosh-ruby deployments

Acting as client 'foo' on 'bosh'

+---------------+-------------------------------+-------------------------------------------------+--------------+
| Name          | Release(s)                    | Stemcell(s)                                     | Cloud Config |
+---------------+-------------------------------+-------------------------------------------------+--------------+
| concourse     | concourse/1.6.0               | bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3262.12 | latest       |
|               | garden-runc/0.4.0             |                                                 |              |
|               | slack-notification-resource/9 |                                                 |              |
+---------------+-------------------------------+-------------------------------------------------+--------------+

Director UAA snippet:

properties:
      uaa:
        url: "https://<HOST>:8443"
        scim:
          users:
          - ((cli_admin_user))
          - ((repave_user))
          - ((upgrade_user))
        clients:
          bosh_cli:
            override: true
            authorized-grant-types: password,refresh_token
            # scopes the client may receive
            scope: openid,bosh.admin,bosh.read,bosh.*.admin,bosh.*.read
            authorities: uaa.none
            access-token-validity: 120 # 2 min
            refresh-token-validity: 86400 # re-login required once a day
            secret: "" # CLI expects this secret to be empty
          uaa_admin:
            authorized-grant-types: client_credentials
            override: true
            scope: ""
            authorities: uaa.admin
            access-token-validity: 120 # 2 min
            refresh-token-validity: 86400 # re-login required once a day
            secret: ((uaa_admin_client_secret)) # CLI expects this secret to be empty

        admin: {client_secret: ((uaa_admin_client_secret))}
        login: {client_secret: ((uaa_login_client_secret))}
        zones: {internal: {hostnames: []}}
        jwt:
          signing_key: ((uaa_jwt_signing_key))
          verification_key: ((uaa_jwt_verification_key))
        sslPrivateKey: ((uaa_web_ssl_private_key))
        sslCertificate: ((uaa_web_ssl_certificate))

      login:
        saml:
          serviceProviderKey: ((uaa_sp_ssl_private_key))
          serviceProviderCertificate: ((uaa_sp_ssl_certificate))

[cppforlife]

it mentions "as user 'director'". it looks like you are logged with director user into that env. client info is being used but also with user details. prolly not what you wanted. you can run 'bosh -e blah log-out' to get rid of user details.

Sent from my iPhone

On Sep 29, 2016, at 10:51 PM, Lyle Franklin notifications@github.com wrote:

Output from Golang CLI:

BOSH_CLIENT=foo BOSH_CLIENT_SECRET= bosh-go deployments

Using environment '' as user 'director'

Finding deployments:
Director responded with non-successful status code '401' response 'Not authorized: '/deployments'
'

Exit code 1
Output from Ruby CLI:

BOSH_CLIENT=foo BOSH_CLIENT_SECRET= bosh-ruby deployments

Acting as client 'foo' on 'bosh'

+---------------+-------------------------------+-------------------------------------------------+--------------+
| Name | Release(s) | Stemcell(s) | Cloud Config |
+---------------+-------------------------------+-------------------------------------------------+--------------+
| concourse | concourse/1.6.0 | bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3262.12 | latest |
| | garden-runc/0.4.0 | | |
| | slack-notification-resource/9 | | |
+---------------+-------------------------------+-------------------------------------------------+--------------+
Director UAA snippet:

properties:
uaa:
url: "https://:8443"
scim:
users:
- ((cli_admin_user))
- ((repave_user))
- ((upgrade_user))
clients:
bosh_cli:
override: true
authorized-grant-types: password,refresh_token
# scopes the client may receive
scope: openid,bosh.admin,bosh.read,bosh..admin,bosh..read
authorities: uaa.none
access-token-validity: 120 # 2 min
refresh-token-validity: 86400 # re-login required once a day
secret: "" # CLI expects this secret to be empty
uaa_admin:
authorized-grant-types: client_credentials
override: true
scope: ""
authorities: uaa.admin
access-token-validity: 120 # 2 min
refresh-token-validity: 86400 # re-login required once a day
secret: ((uaa_admin_client_secret)) # CLI expects this secret to be empty

    admin: {client_secret: ((uaa_admin_client_secret))}
    login: {client_secret: ((uaa_login_client_secret))}
    zones: {internal: {hostnames: []}}
    jwt:
      signing_key: ((uaa_jwt_signing_key))
      verification_key: ((uaa_jwt_verification_key))
    sslPrivateKey: ((uaa_web_ssl_private_key))
    sslCertificate: ((uaa_web_ssl_certificate))

  login:
    saml:
      serviceProviderKey: ((uaa_sp_ssl_private_key))
      serviceProviderCertificate: ((uaa_sp_ssl_certificate))

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[dpb587-pivotal]

Closing - was able to reproduce the scenario and suggested fix.