Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
For instance, I would like to execute the following command
cf update-service test_db -c '{"data":{"serviceStopped":true}}'
What I have in mind: create an app bound to test_db to update the value of the dictionnary.
Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
Yes, but it requires credentials. The application on CF itself has no permissions, so you would need to supply the credentials of a user or client that has permissions that the application can use to update the service.
Any user or client that is in the same org and space as the service with the SpaceDev role will have access to update the service.
If you want to have an application make calls to the Cloud Controller, like to update a database, you can do that by embedding the cf CLI and invoking it, you can use a library like the cf-java-client, or you can use the REST API directly.
Related
I'm trying to connect an automated build. In the app I connect to a google api and in Cloud Run I access secrets both using different service accounts. It's just a test app so nothing major but I keep getting hung up with cloud build using the service account that I use to access the api to run the app. Anybody know of a way to dictate which service account is used to run the app while still using the key to access the api. My thinking is it has to be done in the build process with something in my cloudbuild.yaml or maybe can't be done?
The cloud build process is carried out by a special service account that handles everything. You can delegate the auth to other accounts but there really isn't any need. Running the container in cloud run and choosing a service account to access secrets is easy (from Cloud Run choose edit and deploy => security tab) and that service account has no bearing on how you access other api's with creds.json you add at runtime.
Trying to learn AWS. Went to EB on the web interface, created an application and an environment, uploaded code, no problem.
Trying to do the same through the CLI - created an access key for my account, used aws configure set to set access key and secret. However, when I type eb init and choose the same region I used in the web app, the first fishy thing is that it doesn't let me choose the existing app like the eb init documentation said it would, it just asks me for a name to create a new app.
And when I do try to create a new one, I get this:
ERROR: NotAuthorizedError - Operation Denied. User: arn:aws:iam::xxx:user/[my account] is not authorized to perform: elasticbeanstalk:CreateApplication on resource: arn:aws:elasticbeanstalk:eu-central-1:xxx:application/test
What am I doing wrong? This is definitely the same account I used to create through the web app, and I have checked if someone removed my privileges or something - my account still has AdministratorAccess and I can keep creating apps through the web interface to my heart's content.
I have a question what is the difference if I just use a Oracle/MySQL service provided by PCF without binding it? What difference will it create. I can anyway access DB using the credentials
There are two differences that come to mind:
When you create a service through the Cloud Foundry marketplace, that will create backing resources for the service but in most cases it does not create credentials. The act of binding a service to your app, in most cases with most service brokers, will actually create service credentials for you. When you unbind, again with most brokers, the service credentials are destroyed. This makes it easy to regenerate your service credentials, just unbind/rebind the service and restart your app. The net result is that if you don't bind, there are no credentials.
Most people do not want to include credentials with the actual application (see https://12factor.net/ for details why). They want to be able to provide configuration external to the app. On Cloud Foundry this commonly amounts to binding a service.
Having said that, how do you want to provide the credentials to your application?
Service bindings are there to try and make life as a developer easier but you don't have to use them. If you want to pass in the configuration some other way, like via environment variables, a config file, or using a config service (Spring Cloud Config Server or Vault) those are fine options too.
If you do not want to bind a service to your app, the only thing you'll need to do is to create a service key instead. A service key is like a binding, but not associated with an application. It will also generate a set of unique credentials. You can then take the credentials from your service key and feed them to your app in the way that works best for you.
Ex:
cf create-service-key service-instance key-name
cf service-key service-instance key-name
The first command creates the service key, the second will display its credentials.
we have a cloud foundry demo installation for customers. Customers are able to create an account. Now, I would like t assign automatically a specific org and space incl. roles to every new user.
Is that possible?
You could create a web application that users go to create their account then use uaa apis and cloud controller apis to create and assign the user to whatever you want. This application can use uaa client accounts with appropriate authorities.
If you only want users to create their accounts using your application I believe you can tell uaa to disable self service links in the uaa ui using "login.self_service_links_enabled=false" and can probably stop people from creating their own accounts on the CLI by removing the "scim.write" scope from the cf client.
There's nothing out of the box that does this. I can't see anything in the events API that you could plug into either.
I'm new to cloud foundry and taking over a configuration that was set up by someone else. I want to inspect the contents of several user-provided services, to see what values are stored in each one. But the docs here only tell you how to see ALL the env values bound for an app. I want to be able to display what is in just ONE of the particular user-provided services.
Try the command on cloudfoundry cli, it'll show services VCAP_SERVICES and environment VCAP_APPLICATION as json :
cf env app-name
You should be able to query the CloudFoundry api endpoint directly to get a list of all user provided service instances. You can find the API documents here and here is the precise endpoint you are looking for.
The api endpoint is the same that you at first used when setting up your cf CLI with: cf api API_ENDPOINT
If you need to find the auth token for the API request, you can get it from ~/cf/config.json. It should be in there once you successfully authorized the cf CLI by using cf login.