Cannot access /encrypt endpoint of PCF p-config-server service

Question

I have followed the instructions from https://github.com/spring-cloud-services-samples/cook and managed to install and run Config Server in PCF environment (SERVICE: Config Server, PLAN: standard).

I'm now trying to hit /encrypt endpoint of the p-config-server service, in order to encrypt new value. I'm following the instructions at http://docs.run.pivotal.io/spring-cloud-services/config-server/configuring-with-git.html#encryption-and-encrypted-values:

TOKEN=$(curl -k ACCESS_TOKEN_URI -u CLIENT_ID:CLIENT_SECRET -d grant_type=client_credentials | jq -r .access_token); curl -k -H "Authorization: bearer $TOKEN" -H "Accept: application/json" URI/encrypt -d 'VALUE'

...but I always get:

{ "error": "access_denied", "error_description": "Access is denied" }

On the other side, if I try to get standard endpoint, to get config for an app, I'm able to retrieve JSON containing app properties. E.g.

TOKEN=$(curl -k ACCESS_TOKEN_URI -u CLIENT_ID:CLIENT_SECRET -d grant_type=client_credentials | jq -r .access_token); curl -k -H "Authorization: bearer $TOKEN" -H "Accept: application/json" URI/my-app/default

... gives result like:

{"name":"my-app","profiles":["default"],"label":null,"version":"bb6e64592ced731ebba272430291a595e0f14a77","state":null,"propertySources":[{"name":"https://github.com/some-user/config/my-app.yml","source":{"my-property.name":"Test123"}}]}

Any idea why I can not access /encrypt endpoint? Thank you.

Btw, I'm executing the command in CentOS Linux release 7.4.1708, with installed jq (command-line JSON processor).

Answer 1

I've got the answer from CloundFoundry IT support. In my CF environment, "encrypt" endpoint should have a trailing slash (/). So it should be ...URI/encrypt/ -d 'VALUE'. Maybe it helps someone.

One more hint I've got: There is a CF CLI plugin for the Spring-Cloud-Services which you could use for convenience.

https://github.com/pivotal-cf/spring-cloud-services-cli-plugin

cf install-plugin -r CF-Community "Spring Cloud Services"

cf help config-server-encrypt-value 

Answer 2

Hi Actually you need to hit cf env command first and take note of configuration values from that which for sample looks like below:

{
 "VCAP_SERVICES": {
  "p-config-server": [
   {
    "credentials": {
     "access_token_uri": "https://p-spring-cloud-services.uaa.cf.wise.com/oauth/token",
     "client_id": "p-config-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73",
     "client_secret": "rU7dMUw6bQjR",
     "uri": "https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com"
    },
[...]

and then use those values in your curl bash script. for example

TOKEN=$(curl -k https://config-86b38ce0-eed8-4c01-adb4-1a651a6178e2.apps.wise.com -u p-config-server-876cd13b-1564-4a9a-9d44-c7c8a6257b73:rU7dMUw6bQjR -d
grant_type=client_credentials | jq -r .access_token); curl -k -H
"Authorization: bearer $TOKEN" -H "Accept: application/json"
URI/ENDPOINT | jq

Basically following values are required:

ACCESS_TOKEN_URI with the value of credentials.access_token_uri

CLIENT_ID with the value of credentials.client_id CLIENT_SECRET with the value of credentials.client_secret

URI with the value of credentials.uri

Replace ENDPOINT with the relevant endpoint:

application/profile to retrieve configuration from a Config Server service instance eureka/apps to retrieve the registry from a Service Registry service instance

Then I think you will no more get access denied response.