Introduction

CredHub manages credentials like passwords, users, certificates, certificate authorities, ssh keys, rsa keys and arbitrary values (strings and JSON blobs). The following spec details the commands for the CredHub CLI.

Get Credentials

Get by ID

user$ credhub get --id 2993f622-cb1e-4e00-a267-4b23c273bf3d
id: 2993f622-cb1e-4e00-a267-4b23c273bf3d
name: /example-password
type: password
value: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
version_created_at: 2017-01-05T01:01:01Z

This request retrieves a credential by ID. Exactly one value will be returned.

Get by Name


user$ credhub get --name '/example-password'
id: 2993f622-cb1e-4e00-a267-4b23c273bf3d
name: /example-password
type: password
value: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
version_created_at: 2017-01-05T01:01:01Z

This request returns a credential’s value(s) by name. The current value will be returned unless --versions=<NUMBER OF VERSIONS> is specified. To return only the value of a credential, use the --quiet or -q flags. If you would only like to see one key from the value (i.e. a certificate’s private key), use the -k <NAME OF KEY> or --key=<NAME OF KEY> flags.

Output JSON


user$ credhub get --name '/example-json'
{
    "id": "b508a5d6-c1ed-4218-8ed3-aca98d8b2c25",
    "name": "/example-json",
    "type": "json",
    "value": {
        "is_true": true,
        "key": 123,
        "key_list": [
            "val1",
            "val2"
        ]
    },
    "version_created_at": "2020-03-10T16:32:37Z"
}

All responses default to YAML unless the -j or --output-json flags are passed in.

Type: Value

user$ credhub get --name '/example-value'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-value
type: value
value: sample
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of a value type credential.

Type: JSON

user$ credhub get --name '/example-json'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-json
type: json
value:
  key: 123
  key_list:
  - val1
  - val2
  is_true: true
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of a JSON type credential. The response is formatted as YAML by default, but can be formatted as json using the -j flag.

Type: Password

user$ credhub get --name '/example-password'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-password
type: password
value: 3t6Y2OFP0jQIcLnki1h7p3NtSfDx4l9bamr1ja6R
version_created_at: 2017-01-01T04:07:18Z

Type: User

user$ credhub get --name '/example-user'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-user
type: user
value:
  username: FQnwWoxgSrDuqDLmeLpU
  password: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
  password_hash: $6$h3b3JsG5$MnrPIrF6T3zAWk9uaun64vWY.vaBQ5nTRFZjjVqKuDWccxWXn8n6vstQykXEReamb4GYh2q1HC7vFy11wflXd0
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of a user type credential.

Type: Certificate

user$ credhub get --name '/example-certificate'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-certificate
type: certificate
value:
  root: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of a certificate type credential.

Type: RSA

user$ credhub get --name '/example-rsa'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-rsa
type: rsa
value:
  public_key: |
    -----BEGIN PUBLIC KEY-----
    ...
    -----END PUBLIC KEY-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of an RSA type credential.

Type: SSH

user$ credhub get --name '/example-ssh'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-ssh
type: ssh
value:
  public_key: ssh-rsa AAAAB3Nz...
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request returns a credential by name. The example provided shows the request parameters and response structure of an SSH type credential.

Generating Credentials

Long Flag	Short Flag	Used For Type	Description
–name	-n	All	Name of the credential to generate
–type	-t	All	Sets the credential type to generate. Valid types include ‘password’, ‘user’, ‘certificate’, ‘ssh’ and ‘rsa’.
–no-overwrite	-O	All	Credential is not modified if stored value already exists
–username	-z	User	Sets the username value of the credential
–password	-w	User, Password	Sets the password value of the credential
–length	-l	User, Password	Length of the generated value (Default: 30)
–include-special	-S	User, Password	Include special characters in the generated value
–exclude-number	-N	User, Password	Exclude number characters from the generated value
–exclude-upper	-U	User, Password	Exclude upper alpha characters from the generated value
–exclude-lower	-L	User, Password	Exclude lower alpha characters from the generated value
–ssh-comment	-m	SSH	Comment appended to public key to help identify in environment
–key-length	-k	SSH, RSA, Certificate	Bit length of the generated key (Default: 2048)
–duration	-d	Certificate	Valid duration (in days) of the generated certificate (Default: 365)
–common-name	-c	Certificate	Common name of the generated certificate
–organization	-o	Certificate	Organization of the generated certificate
–organization-unit	-u	Certificate	Organization unit of the generated certificate
–locality	-i	Certificate	Locality/city of the generated certificate
–state	-s	Certificate	State/province of the generated certificate
–country	-y	Certificate	Country of the generated certificate
–alternative-name	-a	Certificate	A subject alternative name of the generated certificate (may be specified multiple times)
–key-usage	-g	Certificate	Key Usage extensions for the generated certificate (may be specified multiple times)
–ext-key-usage	-e	Certificate	Extended Key Usage extensions for the generated certificate (may be specified multiple times)
–ca		Certificate	Name of CA used to sign the generated certificate
–is-ca		Certificate	The generated certificate is a certificate authority
–self-sign		Certificate	The generated certificate will be self-signed
–metadata	n/a	All	Sets additional metadata on the credential

Type: Password

This request generates a password credential based on the provided parameters.

user$ credhub generate --type password --name '/example-password'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-password
type: password
value: 3t6Y2OFP0jQIcLnki1h7p3NtSfDx4l9bamr1ja6R
version_created_at: 2017-01-01T04:07:18Z

Type: User

This request generates a user credential based on the provided parameters.

user$ credhub generate --type user --name '/example-user'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-user
type: user
value:
  username: FQnwWoxgSrDuqDLmeLpU
  password: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
  password_hash: $6$h3b3JsG5$MnrPIrF6T3zAWk9uaun64vWY.vaBQ5nTRFZjjVqKuDWccxWXn8n6vstQykXEReamb4GYh2q1HC7vFy11wflXd0
version_created_at: 2017-01-01T04:07:18Z

Type: Certificate

This request generates a user credential based on the provided parameters.

user$ credhub generate --type certificate --name '/example-certificate' --common-name 'example.com' --ca '/example-ca'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-certificate
type: certificate
value:
  root: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

Type: RSA

This request generates an RSA credential based on the provided parameters.

user$ credhub generate --type rsa --name '/example-rsa'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-rsa
type: rsa
value:
  public_key: |
    -----BEGIN PUBLIC KEY-----
    ...
    -----END PUBLIC KEY-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

Type: SSH

This request generates an SSH credential based on the provided parameters.

user$ credhub generate --type ssh --name '/example-ssh'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-ssh
type: ssh
value:
  public_key: ssh-rsa AAAAB3NzaC1y...W9RWFM1
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

Regenerating Credentials

Long Flag	Short Flag	Used For Type	Description
–name	-n	All	Name of the credential to regenerate
–output-json	-j	All	Return response in JSON format
–metadata	n/a	All	Sets metadata on the regenerated credential. The existing metadata is persisted by default. To clear the existing metadata, use this flag and pass in an empty json object.

Regenerate

Set a credential with a generated value using the same attributes as the stored value

user$ credhub regenerate --name '/example-password'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-password
type: password
value: 3t6Y2OFP0jQIcLnki1h7p3NtSfDx4l9bamr1ja6R
version_created_at: 2017-01-01T04:07:18Z

Bulk Regenerate

Recursively regenerate all certificates signed by the provided certificate

user$ credhub bulk-regenerate --signed-by /bosh-maestro/zookeeper/tom-ca
regenerated_credentials:
- /bosh-maestro/zookeeper/tom-leaf

Set Credentials

Long Flag	Short Flag	Used For Type	Description
–name	-n	All	Name of the credential to set
–type	-t	All	Sets the credential type. Valid types include ‘value’, ‘json’, ‘password’, ‘user’, ‘certificate’, ‘ssh’ and ‘rsa’.
–value	-v	Value, Json	Sets the value for the credential
–ca-name	-m	Certificate	Sets the root CA to a stored CA credential
–root	-r	Certificate	Sets the root CA from file or value
–certificate	-c	Certificate	Sets the certificate from file or value
–private	-p	Certificate, SSH, RSA	Sets the private key from file or value
–public	-u	SSH, RSA	Sets the public key from file or value
–username	-z	User	Sets the username value of the credential
–password	-w	User, Password	Sets the password value of the credential
–output-json	-j	All	Return response in JSON format
–metadata	n/a	All	Sets additional metadata on the credential

Type: Value

user$ credhub set --type value --name '/example-value' --password 'sample'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-value
type: value
value: sample
version_created_at: 2017-01-01T04:07:18Z

This request sets a value credential with a user-provided value.

Type: JSON

user$ credhub set --type json --name '/example-json' --value '{ "key": 123, "key_list": ["val1","val2"], "is_true": true }'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-json
type: json
value:
  key: 123
  key_list:
  - val1
  - val2
  is_true: true
version_created_at: 2017-01-01T04:07:18Z

This request sets a json credential with a user-provided value.

Type: Password

user$ credhub set --type password --name '/example-password' --password '3t6Y2OFP0jQIcLnki1h7p3NtSfDx4l9bamr1ja6R'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-password
type: password
value: 3t6Y2OFP0jQIcLnki1h7p3NtSfDx4l9bamr1ja6R
version_created_at: 2017-01-01T04:07:18Z

This request sets a password credential with a user-provided value.

Type: User

user$ credhub set --type user --name '/example-user' --username 'FQnwWoxgSrDuqDLmeLpU' --password '6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL'
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-user
type: user
value:
  username: FQnwWoxgSrDuqDLmeLpU
  password: 6mRPZB3bAfb8lRpacnXsHfDhlPqFcjH2h9YDvLpL
  password_hash: $6$h3b3JsG5$MnrPIrF6T3zAWk9uaun64vWY.vaBQ5nTRFZjjVqKuDWccxWXn8n6vstQykXEReamb4GYh2q1HC7vFy11wflXd0
version_created_at: 2017-01-01T04:07:18Z

This request sets a user credential with a user-provided value.

Type: Certificate

user$ credhub set --type certificate --name '/example-certificate' --root ./root.pem --certificate ./cert.pem --private ./private.pem
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-certificate
type: certificate
value:
  root: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  certificate: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request sets a certificate credential with a user-provided value.

Type: RSA

user$ credhub set --type rsa --name '/example-rsa' --public ./public.pem --private ./private.pem
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-rsa
type: rsa
value:
  public_key: |
    -----BEGIN PUBLIC KEY-----
    ...
    -----END PUBLIC KEY-----
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request sets a RSA credential with a user-provided value.

Type: SSH

user$ credhub set --type ssh --name '/example-ssh' --public ./public.pem --private ./private.pem
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-ssh
type: ssh
value:
  public_key: ssh-rsa AAAAB3NzaC1y...W9RWFM1
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

This request sets a SSH credential with a user-provided value.

Deleting Credentials

This request deletes a credential by name or by path.

user$ credhub delete --name '/example-password'
Credential successfully deleted

user$ credhub delete --path '/example-path'
2 out of 2 credentials under the provided path are successfully deleted.

Permissions

Permissions can be defined for namespaces as well as on explicit credential names. Permissions are additive – if any rule exists authorizing a user to take an action, then the action will be permitted.

actor names must be prefixed with the authentication type:
- mtls-app:APP-GUID (i.e. mtls-app:fdbeb2d4-b601-4a0d-91e8-7e38dde426f7)
- uaa-user:USER-GUID (i.e. uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04)
- uaa-client:CLIENT-NAME (i.e. uaa-client:director_to_credhub)

Setting/Updating Permissions

This request sets permissions for a path for an actor. You can add permission for a specific credential on a path, as well as all items under a path by using the * syntax.

Long Flag	Short Flag	Description
–actor	-a	Name of the actor to grant permissions for
–path	-p	Name of path to grant permissions for
–operations	-o	Operations allowed (comma separated list)(options: read, write, delete, read_acl, write_acl)

user$ credhub set-permission -a uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04 -p /some-path/* -o read,write,delete,read_acl,write_acl
actor: uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04
operations:
- read
- write
- delete
- read_acl
- write_acl
path: /some-path/*
uuid: cf395f8e-130f-48d8-849e-2250e2886490

Getting Permissions

This request retrieves a permission given the path and actor.

Long Flag	Short Flag	Description
–actor	-a	Name of the actor to get permissions for
–path	-p	Name of path to get permissions for

user$ credhub get-permission -a uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04 -p /some-path/*
actor: uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04
operations:
- read
- write
- delete
- read_acl
- write_acl
path: /some-path/*
uuid: cf395f8e-130f-48d8-849e-2250e2886490

Deleting Permissions

Delete permissions for an actor on a given path

Long Flag	Short Flag	Description
–actor	-a	Name of the actor to delete permissions for
–path	-p	Name of path to delete permissions for

user$ credhub delete-permission -a uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04 -p /some-path/*
actor: uaa-user:2ae1621a-bb35-4bb7-946a-4761d3b16a04
operations:
- read
- write
- delete
- read_acl
- write_acl
path: /some-path/*
uuid: cf395f8e-130f-48d8-849e-2250e2886490

Curl

Make an arbitrary request to the targeted CredHub server

Long Flag	Short Flag	Description
–path	-p	The server endpoint to make the request against
–fail	-f	Fail silently (no output at all) on HTTP errors
	-X	HTTP method (default: GET)
	-d	HTTP data to include in the request body
	-i	Include the response headers in the output

user$ credhub curl -p api/v1/certificates
{
  "certificates": [
    {
      "id": "933cd14f-3d3b-4637-a61b-474648fad0ca",
      "name": "/bosh-maestro/zookeeper/tom-leaf",
      "signed_by": "/bosh-maestro/zookeeper/tom-ca",
      "signs": [],
      "versions": [
        {
          "certificate_authority": false,
          "expiry_date": "2021-03-13T15:15:13Z",
          "generated": true,
          "id": "410148ab-5479-4c26-8036-eb9dfd825c68",
          "self_signed": false,
          "transitional": false
        },
        {
          "certificate_authority": false,
          "expiry_date": "2021-03-12T14:25:06Z",
          "generated": true,
          "id": "c4432134-79cc-4c70-8932-8d5e911097f5",
          "self_signed": false,
          "transitional": false
        }
       ]
    }
  ]
}

Authentication

Authenticate with CredHub. UAA password and client credential grants are supported. If client credentials exist in the environment, authentication will be performed automatically without the need to explicitly call this command.

Long Flag	Short Flag	Description
–username	-u	Authentication username
–password	-p	Authentication password
–client-name		Client name for UAA client grant [$CREDHUB_CLIENT]
–client-secret		Client secret for UAA client grant [$CREDHUB_SECRET]
–server	-s	URI of API server to target [$CREDHUB_SERVER]
–ca-cert		Trusted CA for API and UAA TLS connections [$CREDHUB_CA_CERT]
–skip-tls-validation		Skip certificate validation of the API endpoint. Not recommended!
–sso		Prompt for a one-time passcode to login
–sso-passcode		One-time passcode

user$ credhub login -s https://10.0.0.6:8844 --client-name=some-name --client-secret=some-secret
Setting the target url: https://10.0.0.6:8844
Login Successful

Api

Get or set the CredHub API target where commands are sent. The api command without any flags will return the current target. If –ca-cert or –skip-tls-validation are provided, these preferences will be cached for future requests.

Long Flag	Short Flag	Description
–server	-s	URI of API server to target [$CREDHUB_SERVER]
–ca-cert		Trusted CA for API and UAA TLS connections [$CREDHUB_CA_CERT]
–skip-tls-validation		Skip certificate validation of the API endpoint. Not recommended!

user$ credhub api --server https://10.0.0.6:8844
Setting the target url: https://10.0.0.6:8844

Logout

Discard authenticated session. Refresh token revocation will be attempted for password grants.

user$ credhub logout
Logout Successful

Interpolating Credentials

Fill a template with values returned from CredHub.

Uses double-paren placeholders in the style of the bosh cli. Example:

something-stored-in-credhub: ((path/to/var))
something-else: static value

In the above example, the whole value of the cred will be inserted.

If you want just the certificate value, you’d need to use ((path/to/var.certificate)), which would only have the specified field. Example:

certificate: ((path/to/var.certificate))
private_key: ((path/to/var.private_key))

If the prefix flag is provided, the given prefix will be prepended to any credentials that do not start with the ‘/’ character.

Note: There cannot be spaces inside the parentheses

Long Flag	Short Flag	Description
–file	-f	Path to the file to interpolate
–prefix	-p	Prefix to be applied to credential paths. Will not be applied to paths that start with ‘/’
–skip-missing	-s	allow skipping missing params

user$ credhub interpolate -f /tmp/creds.yml
db-password: j8aej715TuQZGzQr8FBdnn5hQT2fOp

Import/Export Credentials

Bulk Export

user$ credhub export --file export.yml

This CLI command gets multiple credentials and exports them to either standard out, or a file. The output will be in yaml format, with the key credentials whose value is a list of credential objects. Each credential will contain a name, type and value. An example is shown to the right. This file is compatible with the bulk import process.

Use --file to specify a file to write the export to. Use --path to specify a path, which will restrict the credentials exported to those with a prefix matching the given path.

Bulk Import

user$ credhub import --file import.yml
id: 67fc3def-bbfb-4953-83f8-4ab0682ad675
name: /example-ssh
type: ssh
value:
  public_key: ssh-rsa AAAAB3NzaC1y...W9RWFM1
  private_key: |
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
version_created_at: 2017-01-01T04:07:18Z

id: 2ba73fbd-439e-40ef-b005-0e1db8815063
name: /example-password
type: password
value: SqFcE2c0AuRvet2YhrxdFbPtkBmjiq
version_created_at: 2017-01-01T04:07:28Z

id: 22a1e87b-ba0b-4bc9-bb26-4e5fc5fb1b2f
name: /example-value
type: value
value: sample
version_created_at: 2017-01-01T04:07:38Z

Import complete.
Successfully set: 3
Failed to set: 0

This CLI command sets multiple credentials from an import file. The import file must be in yaml format, with the key credentials whose value is a list of credential objects. Each credential must contain a name, type and value. An example is shown to the right.