UAA Clients in Cloud Foundry¶
Cloud Foundry is a combination of microservices, and a user-facing CLI cf
, to allow developers to deploy and managing their own web/backend applications.
A running Cloud Foundry includes its own UAA service which is configured at start with a set of UAA clients used by the microservices to authenticate against each other, or for user-facing behavior to be exposed to the user.
To see the list of pre-configured UAA clients:
git clone https://github.com/cloudfoundry/cf-deployment
cd cf-deployment
bosh int cf-deployment.yml --path /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients
The output at the time of writing is:
cc-service-dashboards:
authorities: clients.read,clients.write,clients.admin
authorized-grant-types: client_credentials
scope: openid,cloud_controller_service_permissions.read
secret: ((uaa_clients_cc-service-dashboards_secret))
cc_routing:
authorities: routing.router_groups.read
authorized-grant-types: client_credentials
secret: ((uaa_clients_cc-routing_secret))
cc_service_key_client:
authorities: credhub.read,credhub.write
authorized-grant-types: client_credentials
secret: ((uaa_clients_cc_service_key_client_secret))
cf:
access-token-validity: 600
authorities: uaa.none
authorized-grant-types: password,refresh_token
override: true
refresh-token-validity: 2592000
scope: network.admin,network.write,cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write,doppler.firehose,uaa.user,routing.router_groups.read,routing.router_groups.write,cloud_controller.admin_read_only,cloud_controller.global_auditor,perm.admin
secret: ""
cloud_controller_username_lookup:
authorities: scim.userids
authorized-grant-types: client_credentials
secret: ((uaa_clients_cloud_controller_username_lookup_secret))
doppler:
authorities: uaa.resource
authorized-grant-types: client_credentials
override: true
secret: ((uaa_clients_doppler_secret))
gorouter:
authorities: routing.routes.read
authorized-grant-types: client_credentials
secret: ((uaa_clients_gorouter_secret))
network-policy:
authorities: uaa.resource,cloud_controller.admin_read_only
authorized-grant-types: client_credentials
secret: ((uaa_clients_network_policy_secret))
routing_api_client:
authorities: routing.routes.write,routing.routes.read,routing.router_groups.read
authorized-grant-types: client_credentials
secret: ((uaa_clients_routing_api_client_secret))
ssh-proxy:
authorized-grant-types: authorization_code
autoapprove: true
override: true
redirect-uri: https://uaa.((system_domain))/login
scope: openid,cloud_controller.read,cloud_controller.write
secret: ((uaa_clients_ssh-proxy_secret))
tcp_emitter:
authorities: routing.routes.write,routing.routes.read
authorized-grant-types: client_credentials
secret: ((uaa_clients_tcp_emitter_secret))
tcp_router:
authorities: routing.routes.read
authorized-grant-types: client_credentials
secret: ((uaa_clients_tcp_router_secret))
cc-service-dashboards
¶
cc_routing
¶
cf
¶
The cf
client is used by the cf
CLI.