Skip to content

Setup and manage UAA credentials

Laura Beaufort edited this page Oct 21, 2020 · 2 revisions

The admin portion of the CMS makes use of a UAA client to manage authentication via cloud.gov. As the CMS is ultimately a Django-based application (through the use of Wagtail), it leverages a utility called cg-django-uaa to do this. By and large, there is no setup needed at this point with this utility and the CMS, it is already wired up into the project and ready go upon deployment. At most there might have to be some configuration in the settings file(s), but unless something changes with the way UAA works with cloud.gov, this is already good to go in the CMS. For the sake of completeness, the cg-django-uaa Quick Start Guide covers the essentials of what you would need to do/modify.

The other pieces of this is the cloud.gov identity provider, which would need to be created/managed for each space running in cloud.gov. The instructions on the page outline exactly what needs to be done:

  • Create a cloud-gov-identity-provider service
  • Create a service key associated with the aforementioned cloud-gov-identity-provider service

With these two things in place, the last piece is to copy the credentials (client ID and client secret) from the key and place them within the CMS-specific user provided credentials service with the CMS_LOGIN_CLIENT_ID and CMS_LOGIN_CLIENT_SECRET environment variable names. After that, it's just a matter of restaging or redeploying the application to pick up the new credentials.

What these steps all look like for every space amounts to the following (replace <app_name_here> with the appropriate app name, e.g., fec-dev-proxy or fec-feature-cms, based on the space and app requirements):

# Create the identity provider service
cf create-service cloud-gov-identity-provider oauth-client <service_name_here> -c '{"redirect_uri": ["<registered callback uri>"]}'

# Create the service key associated with the identity provider
cf create-service-key <service_name_here> <service_key_name_here> -c '{"redirect_uri": ["<registered callback uri>"]}'

# Retrieve the credentials from the service key
cf service-key <service_name_here> <service_key_name_here>

# Update the CMS-specific user-provided credentials
cf uups <credentials_service_name_here> -p <path/to/updated/credentials.json>

Once those are all finished, either restage the CMS app or redeploy it for zero downtime.