Skip to content

Commit 833219c

Browse files
tcdowneytcdowney
committed
Added 'notes' section to blog
- this will be a place to put short-form notes that do not deserve a dedicated blog post, but I still find useful
1 parent f0e5165 commit 833219c

File tree

2 files changed

+53
-0
lines changed

2 files changed

+53
-0
lines changed

blog/_config.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,3 +28,7 @@ assets:
2828
sources:
2929
- _assets/javascripts
3030
- _assets/stylesheets
31+
32+
collections:
33+
notes:
34+
output: true

blog/_notes/dev/create-cloud-foundry-read-only-admin.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
layout: post
3+
type: note
4+
title: "Creating a Cloud Foundry Read-only Admin User"
5+
color: green
6+
icon: fa-code
7+
date: 2018-02-15
8+
categories:
9+
- programming
10+
- cloud foundry
11+
---
12+
I wanted to create a section of my site where I can drop off little one-off posts or snippets mostly for my own personal (future) use. This is the inaugural note! 😁
13+
14+
My personal flow for creating a "readonly admin" user on a [bosh-lite](https://github.com/cloudfoundry/bosh-lite) with a director that stores secrets in CredHub while developing Cloud Foundry:
15+
16+
```bash
17+
export BOSH_LITE_DOMAIN=<some-bosh-lite-domain>
18+
export CREDHUB_SERVER="<credhub-server-address>:<credhub-port>"
19+
export CREDHUB_CLIENT=<credhub-client-name>
20+
export CREDHUB_SECRET=<credhub-client-secret>
21+
22+
# Log in to CredHub
23+
credhub login --skip-tls-validation # bosh-lites typically have self-signed certs
24+
25+
# Fetch password for cf admin user from CredHub and authenticate with UAA
26+
cf_admin_pass=$(credhub get --name '/bosh-lite/cf/cf_admin_password' --output-json | jq -r '.value')
27+
cf api https://api.${BOSH_LITE_DOMAIN} --skip-ssl-validation
28+
cf auth admin $cf_admin_pass
29+
30+
# Create user to be readonly admin
31+
cf create-user readonly-admin <password>
32+
33+
# Fetch UAA admin client credentials from CredHub
34+
uaa_secret=$(credhub get --name '/bosh-lite/cf/uaa_admin_client_secret' --output-json | jq -r '.value')
35+
36+
# Authenticate with UAA
37+
uaac target uaa.${BOSH_LITE_DOMAIN} --skip-ssl-validation
38+
uaac token client get admin -s $uaa_secret
39+
40+
uaac group add cloud_controller.admin_read_only # if it does not already exist
41+
uaac member add cloud_controller.admin_read_only readonly-admin
42+
```
43+
44+
The following scripts automate this a bit, but I don't always have a workstation set up to use them handy:
45+
* [target-uaa](https://github.com/cloudfoundry/capi-release/blob/67c59ab59c1f1f7cebab3969e500da6ed4a6549b/scripts/target-uaa)
46+
* [target-cf](https://github.com/cloudfoundry/capi-release/blob/67c59ab59c1f1f7cebab3969e500da6ed4a6549b/scripts/target-cf)
47+
48+
More detailed docs:
49+
* [https://docs.cloudfoundry.org/uaa/uaa-user-management.html#admin-read-only](https://docs.cloudfoundry.org/uaa/uaa-user-management.html#admin-read-only)

0 commit comments

Comments
 (0)