Permission Issue with the Bundled Cloud Foundry: Can't Create Service Instances

[mhlandry]

I'm trying to get the introduction to spring cloud https://spring.io/blog/2014/06/03/introducing-spring-cloud app working with an instance of Cloud Foundry that I'm running on my machine. I tried to push the app and I get this message:

    Could not find service postgres-service to bind to hello-spring-cloud

That makes sense to me so I started tracking down the postgres service. When I run cf marketplace, I get:

    service      plans     description
    mongodb      default   MongoDB NoSQL database
    postgresql   default   PostgreSQL database
    rabbitmq     default   RabbitMQ message queue
    redis        default   Redis key-value store

When I try to create a service instance of the postgresql service and I get:

    $ cf create-service postgresql default postgresql-service
    Creating service instance postgresql-service in org xyz / space development as admin...
    FAILED
    Server error, status code: 500, error code: 10001, message: Service broker error: Not authorized

I have tried running cf create-service-auth-token postgresql core 123 but that didn't seem to help with the Not Authorized message.

Here are the permissions for the space:

    Getting users in org xyz / space development as admin

    SPACE MANAGER
    admin

    SPACE DEVELOPER
    Admin

The cf service-access command doesn't yield anything interesting:

    $ cf service-access
    Getting service access as admin

Then it shows nothing on the terminal. So I tried to enable service access

    $ cf enable-service-access postgresql
    Enabling access to all plans of service postgresql for all orgs as admin...
    All plans of the service are already accessible for all orgs
    OK

For the life of me, I can¹t figure out what's going on. Any ideas about what's going on?

[githubfp]

having exactly same problem described by mhlandry the message says "Incorrect Usage" thought I do have to right syntax ? any idea would really help me out! thanks in advance

vagrant@bosh-lite:~$ wget https://cf-contrib.s3.amazonaws.com/boshrelease-cf-services-contrib-6.tgz vagrant@bosh-lite:~$ bosh upload release boshrelease-cf-services-contrib-6.tgz

vagrant@bosh-lite:~$ git clone https://github.com/cloudfoundry-community/cf-services-contrib-release vagrant@bosh-lite:~$ cd cf-services-contrib-release $ git checkout v6

vagrant@bosh-lite:~/cf-services-contrib-release$ templates/make_manifest warden vagrant@bosh-lite:~/cf-services-contrib-release$ bosh -n deploy vagrant@bosh-lite:~/cf-services-contrib-release$ cf marketplace Getting services from marketplace in org myorg / space mydept as admin... OK

service plans description mongodb default MongoDB NoSQL database postgresql default PostgreSQL database rabbitmq default RabbitMQ message queue redis default Redis key-value store

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token mongodb core c1oudc0w Creating service auth token as admin... OK Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token postgresql core c1oudc0w Creating service auth token as admin... OK Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token rabbitmq core c1oudc0w Creating service auth token as admin... OK Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token redis core c1oudc0w Creating service auth token as admin... OK Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access mongodb Enabling access to all plans of service mongodb for all orgs as admin... All plans of the service are already accessible for all orgs OK

vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access postgresql Enabling access to all plans of service postgresql for all orgs as admin... All plans of the service are already accessible for all orgs OK

vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access rabbitmq Enabling access to all plans of service rabbitmq for all orgs as admin... All plans of the service are already accessible for all orgs OK vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access redis Enabling access to all plans of service redis for all orgs as admin... All plans of the service are already accessible for all orgs OK

vagrant@bosh-lite:~/cf-services-contrib-release$ cf service-access getting service access as admin...

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service redis default my-redis1 Creating service my-redis1 in org myorg / space mydept as admin... FAILED Server error, status code: 500, error code: 10001, message: An unknown error occurred.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service redis default my-redis1 CF_TRACE=true FAILED Incorrect Usage.

NAME: create-service - Create a service instance

ALIAS: cs

USAGE: cf create-service SERVICE PLAN SERVICE_INSTANCE

EXAMPLE: cf create-service cleardb spark clear-db-mine

TIP: Use 'cf create-user-provided-service' to make user-provided services available to cf apps

vagrant@bosh-lite:~/cf-services-contrib-release$ cf -v cf version 6.6.1-b2cdb2b-2014-09-23T23:07:12+00:00

vagrant@bosh-lite:~/cf-services-contrib-release$ cf service-access getting service access as admin...

vagrant@bosh-lite:~/cf-services-contrib-release$ cf curl /v2/info { "name": "vcap", "build": "2222", "support": "http://support.cloudfoundry.com", "version": 2, "description": "Cloud Foundry sponsored by Pivotal", "authorization_endpoint": "http://login.10.244.0.34.xip.io", "token_endpoint": "https://uaa.10.244.0.34.xip.io", "api_version": "2.18.0", "logging_endpoint": "wss://loggregator.10.244.0.34.xip.io:443" }

vagrant@bosh-lite:~/cf-services-contrib-release$ cf curl /v2/info { "name": "vcap", "build": "2222", "support": "http://support.cloudfoundry.com", "version": 2, "description": "Cloud Foundry sponsored by Pivotal", "authorization_endpoint": "http://login.10.244.0.34.xip.io", "token_endpoint": "https://uaa.10.244.0.34.xip.io", "api_version": "2.18.0", "logging_endpoint": "wss://loggregator.10.244.0.34.xip.io:443" } vagrant@bosh-lite:~/cf-services-contrib-release$ cf curl /v2/service_plans -X 'GET' { "total_results": 4, "total_pages": 1, "prev_url": null, "next_url": null, "resources": [ { "metadata": { "guid": "6e0c12aa-c547-427e-83ec-5a2de5536dca", "url": "/v2/service_plans/6e0c12aa-c547-427e-83ec-5a2de5536dca", "created_at": "2015-09-03T17:40:45+00:00", "updated_at": "2015-09-03T20:55:42+00:00" }, "entity": { "name": "default", "free": true, "description": "Developer, 250MB storage, 10 connections", "service_guid": "4e71ab56-1661-4a44-a9b6-620d82e5cc23", "extra": "", "unique_id": "default-acc65758-191f-4cc7-a295-34a11e731b01", "public": true, "active": true, "service_url": "/v2/services/4e71ab56-1661-4a44-a9b6-620d82e5cc23", "service_instances_url": "/v2/service_plans/6e0c12aa-c547-427e-83ec-5a2de5536dca/service_instances" } }, { "metadata": { "guid": "f5566c05-8165-43f4-9867-27fada9a6e66", "url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66", "created_at": "2015-09-03T17:40:50+00:00", "updated_at": "2015-09-03T20:55:39+00:00" }, "entity": { "name": "default", "free": true, "description": "Developer, shared VM, 250MB storage, 10 connections", "service_guid": "12f51c6b-c16c-46e2-9672-1b13631f3550", "extra": "", "unique_id": "default-8f4af9f9-0f29-4957-87a3-1039ce983ede", "public": true, "active": true, "service_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550", "service_instances_url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66/service_instances" } }, { "metadata": { "guid": "37214276-cf04-4c45-a927-6816f028818a", "url": "/v2/service_plans/37214276-cf04-4c45-a927-6816f028818a", "created_at": "2015-09-03T17:41:23+00:00", "updated_at": "2015-09-03T20:55:42+00:00" }, "entity": { "name": "default", "free": true, "description": "Developer, 250MB storage, 10 connections", "service_guid": "6d615670-a3cd-41cb-9fc1-31cb8cbadc8b", "extra": "", "unique_id": "default-b98ab4cc-53e3-44a0-a53b-f09d7827f950", "public": true, "active": true, "service_url": "/v2/services/6d615670-a3cd-41cb-9fc1-31cb8cbadc8b", "service_instances_url": "/v2/service_plans/37214276-cf04-4c45-a927-6816f028818a/service_instances" } }, { "metadata": { "guid": "2a201849-b3c2-40ef-9279-d4116614c3cf", "url": "/v2/service_plans/2a201849-b3c2-40ef-9279-d4116614c3cf", "created_at": "2015-09-03T17:41:25+00:00", "updated_at": "2015-09-03T20:55:43+00:00" }, "entity": { "name": "default", "free": true, "description": "Developer, 250MB storage, 100 connections", "service_guid": "b55fb809-e2c9-41c6-9eec-82c4850aa335", "extra": "", "unique_id": "default-bfd55f2a-25c8-4444-9200-4e7d2d443467", "public": true, "active": true, "service_url": "/v2/services/b55fb809-e2c9-41c6-9eec-82c4850aa335", "service_instances_url": "/v2/service_plans/2a201849-b3c2-40ef-9279-d4116614c3cf/service_instances" } } ] } vagrant@bosh-lite:~/cf-services-contrib-release$

[Gangabhavani]

I have got the same issue.Resolved by deleting the existing service-auth-token and recreating it using the provider "core".

[githubfp]

Thank you so much Gangabhavani for your reply on this one - As I mentioned in my previous msg this is my first attempt to deploy the services on a local CF config so I just followed the instructions posted on https://github.com/cloudfoundry-community/cf-services-contrib-release

$ cf create-service-auth-token core • label: the name of the package • token: the token you provided in your deployment file going a bit further it looks like these tokens are brought in by

templates/make_manifest warden

which is actually doing a ‘spiff merge’ of the following files: spiff merge \ $templates/deployment.yml \ $templates/jobs.yml \ $templates/properties.yml \ $templates/infrastructure-${infrastructure}.yml \ $tmpdir/stub-with-uuid.yml \ $* > $tmpdir/$NAME-manifest.yml

At a closer look, it looks like those tokens are actually coming from the above mentioned files ‘/templates/infrastructure-warden.yml’ and apparently they seem to be (by default) set to ‘c1oudc0w’ (at least that’s what I can see on my folder and that’s also what I can see on the https://github.com/cloudfoundry-community/cf-services-contrib-release templates too)

vagrant@bosh-lite:~/cf-services-contrib-release$ cat templates/infrastructure-warden.yml | grep token token: c1oudc0w token: c1oudc0w token: c1oudc0w token: c1oudc0w

Provided that, at this stage, I am running just a POC, I didn’t customize so far anything and so, I just tried to use the values referenced in the manifest file by default – are there any another ‘provider’ tokens values I should use in this case ? any directions on how/where to look for these provider ‘token’ values would begreatly appreciated

[amaltson]

@githubfp you're a life saver, those were the tokens I was looking for! :+1:

[florianpopovici]

I am pleased if my post helped in any way --- unfortunately, in my case, the process listed above didn't work at all, I am still stuck when trying to run 'cf create-services' - any help on that would be greatly appreciated

[rkoster]

The default service auth tokens when running on bosh-lite can indeed be found here. The registration of of the service auth tokens for bosh-lite can also be achieved by running rake setup.

[florianpopovici]

hello rkoster - thanks a lot for your input as I mentioned before this is my very first attempt to deploy CF so I might be missing things in there - anyway, in my case , the all process seems to work fine, except the 'create-service' which is constantly returning 'incorrect usage' error ... thought that doesn’t seem to be about any syntax error ... any idea on what/where I should look for would be greatly appreciated

cf marketplace Getting services from marketplace in org myorg / space mydept as admin... OK

service plans description mongodb default MongoDB NoSQL database postgresql default PostgreSQL database rabbitmq default RabbitMQ message queue redis default Redis key-value store

cf create-service-auth-token mongodb core c1oudc0w (does work fine) cf create-service-auth-token postgresql core c1oudc0w (does work fine) cf create-service-auth-token rabbitmq core c1oudc0w (does work fine) cf create-service-auth-token redis core c1oudc0w (does work fine)

cf enable-service-access mongodb (does work fine) cf enable-service-access postgresql (does work fine) cf enable-service-access rabbitmq (does work fine) cf enable-service-access redis (does work fine)

cf create-service mongodb default my-mongodb CF_TRACE=true FAILED Incorrect Usage.

NAME: create-service - Create a service instance

ALIAS: cs

USAGE: cf create-service SERVICE PLAN SERVICE_INSTANCE

EXAMPLE: cf create-service cleardb spark clear-db-mine

TIP:

Use 'cf create-user-provided-service' to make user-provided services available to cf apps

[rkoster]

Have you tried: CF_TRACE=true cf create-service mongodb default my-mongodb?

[florianpopovici]

here's the output ... if you could see somehting where I could start digging that would be really appreciated .. many thanks in advance!

vagrant@agent-id-bosh-0:~$ CF_TRACE=true cf create-service mongodb default my-mongodb

VERSION: 6.6.1-b2cdb2b

Creating service my-mongodb in org myorg / space mydept as admin...

REQUEST: [2015-09-21T14:34:34Z] GET /v2/spaces/f868f5b4-b131-4cf6-886b-8957961d7e5d/services?q=label%3Amongodb&inline-relations-depth=1 HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.6.1-b2cdb2b / linux

RESPONSE: [2015-09-21T14:34:34Z] HTTP/1.1 401 Unauthorized Content-Length: 97 Content-Type: application/json;charset=utf-8 Date: Mon, 21 Sep 2015 14:34:34 GMT Server: nginx X-Cf-Requestid: 5104ff6d-de84-4ca9-55e4-5ca556dadcc6 X-Content-Type-Options: nosniff X-Vcap-Request-Id: 463a6983-adc5-4fff-742e-8fe29bf65da8::bb0ddf54-1d9e-4733-a901-d33077a7c481

{ "code": 1000, "description": "Invalid Auth Token", "error_code": "CF-InvalidAuthToken" }

REQUEST: [2015-09-21T14:34:34Z] POST /oauth/token HTTP/1.1 Host: login.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/x-www-form-urlencoded User-Agent: go-cli 6.6.1-b2cdb2b / linux

grant_type=refresh_token&refresh_token=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIwZThkOWIwNy01MmQ0LTQzODgtOGYxOC01ZDQyZjZjNGQ4ZDYiLCJzdWIiOiIxY2UzZWVjMi02MmQzLTRmYzgtOTM1Yi1mZWRkYjFlZDIyYzgiLCJzY29wZSI6WyJzY2ltLnJlYWQiLCJzY2ltLnVzZXJpZHMiLCJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwic2NpbS53cml0ZSIsImNsb3VkX2NvbnRyb2xsZXIud3JpdGUiLCJwYXNzd29yZC53cml0ZSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsImRvcHBsZXIuZmlyZWhvc2UiXSwiaWF0IjoxNDQyODQ0MjcxLCJleHAiOjE0NDU0MzYyNzEsImNpZCI6ImNmIiwiaXNzIjoiaHR0cHM6Ly91YWEuMTAuMjQ0LjAuMzQueGlwLmlvL29hdXRoL3Rva2VuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJ1c2VyX2lkIjoiMWNlM2VlYzItNjJkMy00ZmM4LTkzNWItZmVkZGIxZWQyMmM4IiwiYXVkIjpbInNjaW0iLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiLCJvcGVuaWQiLCJkb3BwbGVyIl19.LURCff3QJVbD2or1-OAvVDorFfERSuLJYpoe7Flyefe0jP2-OoVcqqkezX3zULwPc7nLr31jM9rVuxYPPyplbM53kmQ4pjd28i4j3l3nsvAIUlysHLbBPF8o6ljuAHjKMFF0lNpoDHdQ44kqQI0vd2YxLe1urWK6soZyjZci0TM&scope=

RESPONSE: [2015-09-21T14:34:39Z] HTTP/1.1 200 OK Connection: close Content-Length: 2071 Cache-Control: no-cache Cache-Control: no-store Cache-Control: no-store Content-Type: application/json;charset=UTF-8 Date: Mon, 21 Sep 2015 14:34:39 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 X-Cf-Requestid: 77645f19-d8e0-4da9-41cb-84133baa2ad0 X-Cf-Requestid: 614f7366-84be-4bc4-7491-826b5ce41c18 X-Frame-Options: DENY

{"access_token":"[PRIVATE DATA HIDDEN]","token_type":"bearer","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":599,"scope":"scim.userids scim.read cloud_controller.admin password.write scim.write openid cloud_controller.write cloud_controller.read doppler.firehose","jti":"d033accb-52da-454e-8494-10efc262bced"}

REQUEST: [2015-09-21T14:34:39Z] GET /v2/spaces/f868f5b4-b131-4cf6-886b-8957961d7e5d/services?q=label%3Amongodb&inline-relations-depth=1 HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.6.1-b2cdb2b / linux

RESPONSE: [2015-09-21T14:34:39Z] HTTP/1.1 200 OK Content-Length: 2137 Content-Type: application/json;charset=utf-8 Date: Mon, 21 Sep 2015 14:34:39 GMT Server: nginx X-Cf-Requestid: d0ef0a82-0283-462f-5708-a4711f11d610 X-Content-Type-Options: nosniff X-Vcap-Request-Id: 37b73f2b-e0a3-4cd9-6151-2b46786413cb::1ffc1d34-663f-45d5-a478-37a1ec198d40

{ "total_results": 1, "total_pages": 1, "prev_url": null, "next_url": null, "resources": [ { "metadata": { "guid": "12f51c6b-c16c-46e2-9672-1b13631f3550", "url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550", "created_at": "2015-09-03T17:40:45+00:00", "updated_at": "2015-09-21T14:34:31+00:00" }, "entity": { "label": "mongodb", "provider": "core", "url": "http://10.244.1.2:37611", "description": "MongoDB NoSQL database", "long_description": null, "version": "2.2", "info_url": null, "active": true, "bindable": true, "unique_id": "8f4af9f9-0f29-4957-87a3-1039ce983ede", "extra": "{\"listing\":{\"imageUrl\":null,\"blurb\":null},\"provider\":{\"name\":\"Core\"}}", "tags": [ "nosql", "document", "mongodb" ], "requires": [

    ],
    "documentation_url": null,
    "service_broker_guid": null,
    "plan_updateable": false,
    "service_plans_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550/service_plans",
    "service_plans": [
      {
        "metadata": {
          "guid": "f5566c05-8165-43f4-9867-27fada9a6e66",
          "url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66",
          "created_at": "2015-09-03T17:40:50+00:00",
          "updated_at": "2015-09-21T14:34:36+00:00"
        },
        "entity": {
          "name": "default",
          "free": true,
          "description": "Developer, shared VM, 250MB storage, 10 connections",
          "service_guid": "12f51c6b-c16c-46e2-9672-1b13631f3550",
          "extra": "",
          "unique_id": "default-8f4af9f9-0f29-4957-87a3-1039ce983ede",
          "public": true,
          "active": true,
          "service_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550",
          "service_instances_url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66/service_instances"
        }
      }
    ]
  }
}

] }

REQUEST: [2015-09-21T14:34:39Z] POST /v2/service_instances HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.6.1-b2cdb2b / linux

{"name":"my-mongodb","service_plan_guid":"f5566c05-8165-43f4-9867-27fada9a6e66","space_guid":"f868f5b4-b131-4cf6-886b-8957961d7e5d", "async": true}

RESPONSE: [2015-09-21T14:34:40Z] HTTP/1.1 500 Internal Server Error Content-Length: 99 Content-Type: application/json;charset=utf-8 Date: Mon, 21 Sep 2015 14:34:40 GMT Server: nginx X-Cf-Requestid: 52e95de7-4249-437c-5167-8d0dafc858e9 X-Content-Type-Options: nosniff X-Vcap-Request-Id: b468b17b-86d8-44b0-7495-c83612f49add::a0ba32f1-0f30-4d92-bcd1-001ffe09f524

{ "error_code": "UnknownError", "description": "An unknown error occurred.", "code": 10001 }

FAILED Server error, status code: 500, error code: 10001, message: An unknown error occurred. FAILED Server error, status code: 500, error code: 10001, message: An unknown error occurred. vagrant@agent-id-bosh-0:~$

[rkoster]

From the above:

{
"code": 1000,
"description": "Invalid Auth Token",
"error_code": "CF-InvalidAuthToken"
}

Looks interesting, can you verify your auth tokens are created (cf service-auth-tokens). Also can you grep your bosh deployment manifest for the string token? And verify your token is indeed c1oudc0w?

[florianpopovici]

u right ... that's a bit of a surprize .. would it have been possible to run 'create-service-auth-token' without referencing the correct token ?

vagrant@agent-id-bosh-0:~$ cf service-auth-tokens Getting service auth tokens as admin... OK

label provider mongodb core postgresql core rabbitmq core redis core Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API. vagrant@agent-id-bosh-0:~$ vagrant@agent-id-bosh-0:~/cf-services-contrib-release$ cat templates/contrib-services-warden-manifest.yml | grep token token: c1oudc0w token: c1oudc0w token: c1oudc0w token: c1oudc0w