cloudfoundry/secure-credentials-broker

Name: secure-credentials-broker

Owner: Cloud Foundry

Description: null

Created: 2018-02-02 18:18:11.0

Updated: 2018-05-13 03:59:20.0

Pushed: 2018-03-29 15:52:37.0

Homepage: null

Size: 9968

Language: Go

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

NB: This service broker is provided as a proof-of-concept and as a practical example for integrating service brokers with CredHub. It is not actively maintained or intended for deployment or use in production environments.

Secure Application Credentials Broker

This broker is prototype application service broker that lets user-provided credentials to be securely stored in CredHub for applications to use. The service broker stores the user-provided configuration parameters in CredHub, and returns a CredHub reference back to the platform.

For the entire process about how to setup a local environment by using BOSH Lite and Cloud Foundry cf-deployment, please refer to here.

Using the sample broker

Creating a UAA client with credhub permissions

• The broker is currently configured to use a UAA client for authentication. You must first login with uaa admin credentials to create a UAA client that has credhub read and write access.

ac target https://<your-uaa-domain>

ac token client get admin
nt secret: <admin-password>

ac client add secure-credentials-broker -i
client secret: my-secret
fy new secret: my-secret
e (list):
orized grant types (list):  client_credentials
orities (list):  credhub.read,credhub.write
ss token validity (seconds):  3600
esh token validity (seconds):
rect uri (list):
approve (list):
up redirect url (url):
ope: uaa.none
ient_id: secure-credentials-broker
source_ids: none
thorized_grant_types: client_credentials
toapprove:
cess_token_validity: 3600
thorities: credhub.write credhub.read
me: secure-credentials-broker
gnup_redirect_url:
quired_user_groups:
stmodified: 1519917340000
: secure-credentials-broker

Configuring the broker

• git clone this repo and modify the manifest file to have the client and client secret you created using uaac.

For example:

HUB_SERVER: https://credhub.service.cf.internal:8844
HUB_CLIENT: secure-credentials-broker
HUB_SECRET: my-secret
_TLS_VALIDATION: true
ER_AUTH_USERNAME: user
ER_AUTH_PASSWORD: password

• Target and login to CF, creating appropriate orgs and spaces.

 api <your-cf-api-url-goes-here>
 login
 create-org myOrg
 create-space mySpace -o myOrg
 target -o myOrg -s mySpace

• Change directories to the secure-credentials-broker directory. Create a application security group (asg) json file that has the following contents:

"protocol": "tcp",
"destination": "10.0.0.0/16",
"ports": "8844,8443"

Note: Please refer to here for the example and the destination is subject to your ERT/PAS network CIDR

• Push the service broker application, and then register it to CF as a broker. Note, currently the broker credentials, and the service name, and plan are hardcoded in the broker code.

 push

 create-security-group secure-service-credentials asg.json
 bind-staging-security-group secure-service-credentials
 bind-running-security-group secure-service-credentials

 create-service-broker secure-credentials-broker admin admin https://<your-service-broker-app-url-goes-here>
 enable-service-access secure-credentials -p default -o myOrg

• Create a service instance of your broker and bind to the application that is meant to talk to the broker

   create-service secure-credentials default myInstance -c '{"myJsonKey":"myJsonValue"}'
   push <your-app-that-talks-to-broker> 
   bind-service myApp myInstance
   restage myApp 
  

• Assuming that you are running credhub in assisted-mode your application should be able to access the JSON used when creating the service-instance.
  

Updating the json data

If you would like to update the data that the application has access to, you can do the following:

 update-service myInstance -c '{"updatedKey":"updatedValue"}'
 restage myApp