I'm new to cloud foundry and taking over a configuration that was set up by someone else. I want to inspect the contents of several user-provided services, to see what values are stored in each one. But the docs here only tell you how to see ALL the env values bound for an app. I want to be able to display what is in just ONE of the particular user-provided services.
Try the command on cloudfoundry cli, it'll show services VCAP_SERVICES and environment VCAP_APPLICATION as json :
cf env app-name
You should be able to query the CloudFoundry api endpoint directly to get a list of all user provided service instances. You can find the API documents here and here is the precise endpoint you are looking for.
The api endpoint is the same that you at first used when setting up your cf CLI with: cf api API_ENDPOINT
If you need to find the auth token for the API request, you can get it from ~/cf/config.json. It should be in there once you successfully authorized the cf CLI by using cf login.
Related
Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
For instance, I would like to execute the following command
cf update-service test_db -c '{"data":{"serviceStopped":true}}'
What I have in mind: create an app bound to test_db to update the value of the dictionnary.
Is it possible for an app bound to a service to update this service? Or is it something only an admin Cf can do ?
Yes, but it requires credentials. The application on CF itself has no permissions, so you would need to supply the credentials of a user or client that has permissions that the application can use to update the service.
Any user or client that is in the same org and space as the service with the SpaceDev role will have access to update the service.
If you want to have an application make calls to the Cloud Controller, like to update a database, you can do that by embedding the cf CLI and invoking it, you can use a library like the cf-java-client, or you can use the REST API directly.
Does anyone have an idea, how I can access the email address of the service account, which is running my cloud run service, at runtime?
When deploying the service to gcloud, I use a specific service account for running the service.
During runtime I need the email/ID of this service account, in order to do blob signing using IAMCredentialsService.
Is there a possibility to get the service account ID somehow? The ComputeCredential object I have at hand doesn't provide this information. Right now I have to set an environment variable which contains the service account email address, which I can use at runtime within the service.
In your cloud run container, you need to reach this URL (a GET)
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email
With this header
Metadata-Flavor: Google
If you have difficulty getting the value, provide your language and I will see if I can provide a code sample for you.
See more in documentation https://cloud.google.com/run/docs/reference/container-contract#metadata-server
Container instance metadata server
Cloud Run container instances expose a metadata server that you can use to retrieve details about your container instance, such as the project ID, region, instance ID or service accounts. It can also be used to generate tokens for the runtime service account.
You can access this data from the metadata server using simple HTTP requests to the http://metadata.google.internal/ endpoint with the Metadata-Flavor: Google header: no client libraries are required. For more information, see Getting metadata.
I have a question what is the difference if I just use a Oracle/MySQL service provided by PCF without binding it? What difference will it create. I can anyway access DB using the credentials
There are two differences that come to mind:
When you create a service through the Cloud Foundry marketplace, that will create backing resources for the service but in most cases it does not create credentials. The act of binding a service to your app, in most cases with most service brokers, will actually create service credentials for you. When you unbind, again with most brokers, the service credentials are destroyed. This makes it easy to regenerate your service credentials, just unbind/rebind the service and restart your app. The net result is that if you don't bind, there are no credentials.
Most people do not want to include credentials with the actual application (see https://12factor.net/ for details why). They want to be able to provide configuration external to the app. On Cloud Foundry this commonly amounts to binding a service.
Having said that, how do you want to provide the credentials to your application?
Service bindings are there to try and make life as a developer easier but you don't have to use them. If you want to pass in the configuration some other way, like via environment variables, a config file, or using a config service (Spring Cloud Config Server or Vault) those are fine options too.
If you do not want to bind a service to your app, the only thing you'll need to do is to create a service key instead. A service key is like a binding, but not associated with an application. It will also generate a set of unique credentials. You can then take the credentials from your service key and feed them to your app in the way that works best for you.
Ex:
cf create-service-key service-instance key-name
cf service-key service-instance key-name
The first command creates the service key, the second will display its credentials.
I know this question is probably a bit vague. I was trying to run one of the examples of Google NLP Library in Google Shell.
I have 0 experience with using API, JSON, Nodejs... I don't understand what they are and how to use them.
Please help
Here is the snapshot of the error:
The error message means that you are using user credentials instead of service account credentials.
When you connect to Google Cloud Shell, you are using your Google Accounts User Credentials. Those credentials are the ones that you used to log in to the Google Cloud Console. When you run an application in Google Cloud Shell, your application is using those credentials unless you explicitly specify different credentials.
The solution is to create a service account in the Google Cloud Console. Then in your program use the service account for credentials for your application.
Google Cloud Service Accounts
When you do not specify the application credentials, the Google Client libraries use a method to locate credentials called ADC (Application Default Credentials). I wrote an article that might help you understand ADC:
Google Cloud Application Default Credentials
The simplest method for you is to create the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the service account full path location before running your application. Change the path below to point to where the service account is stored on Cloud Shell. You will need to first create the service acount, download it and then upload to Cloud Shell.
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/service-account.json"
Managing files with Cloud Shell
This link will provide more information on how to write applications that use service accounts.
Setting Up Authentication for Server to Server Production Applications
What is the use of service key in cloud foundry ? Today i create one cleardb service and then pick the VCAP_SERVICES credentials . Then easily connect the cleardb through HeidiSQL tool with these credentials.
Also tried the same things through ssh without service key and its connect successfully .
https://docs.cloudfoundry.org/devguide/deploy-apps/ssh-services.html
Please let me know the importance of service key .
Regards
Mukul K
Service keys allow you to get a set of (new) credentials for an app/use case outside of running CF apps. For example, you could get a new temporary ClearDB URI and pass it to mysqlsh on your laptop.
It is preferred to generate new creds for each use case/user rather than borrowing the creds from an app’s VCAP_SERVICE