How to add a Read-Only user in Bosh

Recently, a customer came up with a request on how they can create a user with less privileges in bosh environment to run any curl queries as in here. In this blog post, we will see how to add a read-only BOSH user who has read access to the director but does not have admin access to deployments. Read only access prevents users from managing VMs, creating or updating deployments, running errands, etc.

Every time you do a BOSH login, the Bosh CLI uses the bosh_cli client. By default, the bosh_cli scopes are set and contain Bosh.admin. Here are the steps to create a user with read-only authorities.

  1. Using the uaac target command, target BOSH Director UAA on port 8443 using the bosh IP, and specify the location of the root certificate.
uaac target https://BOSH-DIRECTOR-IP:8443 --ca-cert \ /var/tempest/workspaces/default/root_ca_certificate 

Note: You may use –skip-ssl-valiadtion to skip the ssl validation

2. Generate a token for the admin user by running the below command.

uaac token owner get login admin -s <Uaa Login Client Credentials> -p <Uaa Admin User Credential>

Note: Uaa Login Client Credentials and Uaa Admin User Credentials can be obtained by logging into Opsman GUI > Bosh tile > Credentials tab.

3. Run the below command to create a client that has read-only authorities, readonly-new is the name of the read-only client we are creating.

uaac client add readonly-new --name readonly-new --authorities ", bosh.*.read" --scope "uaa.none" --authorized_grant_types "client_credentials"

The output will be similar to the below screenshot. You have to give a client secret of your choice when asked.

Set the below env for the readonly-new client to gain command line access to bosh. Make sure to update the client and secret in the bosh command line credentials.

export BOSH_CLIENT=readonly-new BOSH_CLIENT_SECRET=VMware1! BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=

Confirm it works by trying to restart a VM using bosh command.

From the above screenshot, we can see the restart attempt was failed as the client does not have enough privileges.

I hope this blog post helps someone to create a read-only client in bosh. In the next blog post, we will see how to make use of this read-only user to run some API calls.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: