The Cloud Foundry UAA is an independent open source project that you can use within your organization to provide user & client authentication and authorization. It has been a stable component of Cloud Foundry itself for more than half a decade. Rather than your team writing their own authentication and authorization subsystem, I recommend giving the UAA a try.

Whilst it is a relatively old open source project, it can still be slightly tricky to deploy for yourself. To make it much easier to deploy a UAA we've released a new project Quick UAA. You can deploy a UAA to any cloud or local VirtualBox.

The project includes a simple helper script quaa, for "Quick UAA". And quaa up is all it takes to deploy the UAA, with its friendly PostgreSQL database, to your local VirtualBox.

NOTE: the tutorial can download up to 1G of files to your local machine, and upload many of them to your target cloud. If you want to download all the assets first, then deploy the UAA, see the section on Offline Download below.

To install this project, clone the repo, and eval the bin/quaa env helper. This will download the required bosh CLI to talk to your cloud infrastructure, and the uaa CLI for interacting with your UAA:

git clone https://github.com/starkandwayne/quick-uaa-deployment ~/workspace/quick-uaa-deployment
cd ~/workspace/quick-uaa-deployment
eval "$(bin/quaa env)"

Note, if you have direnv installed, then you can run direnv allow instead of eval "$(bin/quaa env)".

Deploy UAA

To bootstrap UAA inside VirtualBox:

quaa up

To see the deployment sequence in action:

Alternately, to bootstrap your UAA to AWS, specify the --cpi aws flag, fill in the sample vars.yml, and run quaa up again:

quaa up --cpi aws
vi vars.yml
quaa up

Internally, the quaa up command uses bosh create-env and the corresponding BOSH CPI for your target cloud infrastructure. A persistent disk will be created, mounted, formatted, and used for your UAA's PostgreSQL database. You can resize the VM, resize the persistent disk, upgrade the base stemcell, or upgrade the UAA software, all with the same quaa up command.

Client authentication

The quaa helper includes many subcommands to help you interact with your UAA. You can setup the uaa CLI and authenticate as an admin client:

eval "$(bin/quaa env)"
quaa auth-client

Now you can use the uaa CLI to introspect your UAA, create new users, etc:

uaa clients

uaa users
uaa create-user drnic -v \
  --email drnic@starkandwayne.com \
  --givenName "Dr Nic" \
  --familyName "Williams" \
  --password drnic_secret

To see these example commands in action:

Example client applications

There is a growing set of example applications that use your new UAA for their client or user authentication at https://github.com/starkandwayne/ultimate-guide-to-uaa-examples

Software versions

See the quick-uaa-deployment/releases for the list of BOSH releases that are included when you run quaa up from the master branch.

The project has a CI pipeline that tracks all upstream BOSH releases to ensure we keep your UAA as up-to-date as possible.

Offline download

The instructions above will progressively download any missing CLIs, BOSH releases, and BOSH stemcell. On your first time this can add up to almost 1G. If you need to download everything at once and then proceed with the deployment we are publishing an offline tarball via CDN.

To discover the latest offline tarball, download it, unpack, and bootstrap your quick UAA:

curl -s https://raw.githubusercontent.com/starkandwayne/quick-uaa-deployment/master/bin/download-latest-offline | bash

mkdir -p ~/workspace/quick-uaa-deployment
tar xfz uaa-deployment-offline-*.tar.gz -C ~/workspace/quick-uaa-deployment

You can now use ~/workspace/quick-uaa-deployment as per the rest of the article above.

cd ~/workspace/quick-uaa-deployment
eval "$(bin/u env)"
quaa up

Deploy the UAA to Cloud Foundry

In a future article we will introduce the companion project that makes it very easy to deploy the UAA to any Cloud Foundry.