Skip to content

cc_service_key_client

Cloud Controller -> CredHub to retreive secrets stored by service brokers for service keys (for service brokers that implement this feature).

cf create-service-key ghost-mysql ghost-mysql
cf service-key ghost-mysql ghost-mysql
cf service-keys ghost-mysql
cc_service_key_client:
  authorities: credhub.read,credhub.write
  authorized-grant-types: client_credentials
  secret: ((uaa_clients_cc_service_key_client_secret))

At the time of writing the Cloud Controller API authenticate/authorizes itself with Credhub API via the UAA. The Credhub API also supports mutual TLS authentication; so perhaps in future the Cloud Controller may switch from using the UAA to using mutual TLS.

At the time of writing, the Credhub::Client#get_credential_by_name library only supports retrieving existing credentials. But the UAA client cc_service_key_client is configured to allow the Cloud Controller API with authorities credhub.read and credhub.write. Either credhub.write could be removed from the UAA client, or perhaps the Cloud Controller API will author and update its own Credhub secrets in future.