Compose Dedicated API Tokens for Bluemix Dedicated

Published

This guide will take you through the steps needed to obtain a Compose API token for the Bluemix Dedicated platform.

The Bluemix Dedicated platform is not integrated with IAM, the access control system which is what the Compose API uses to control access. The Compose API has therefore been adapted to accept a specially wrapped token from the dedicated domain, based on the user's UAA Token being converted into an MCCP token. We call these Compose Dedicated API tokens. Unlike Compose API tokens, these dedicated tokens have a limited lifespan.

We will now step through the process of generating a Compose Dedicated API Token.

In these examples, we'll be using DEDICATED.bluemix.net as the domain of a Bluemix Dedicated service.

IMPORTANT: You will need to substitute this "DEDICATED" domain name with your own dedicated domain name.

We'll be working with a Bluemix organization of exmporg and a space called exmpspace.

Step 1: Log in to MCCP.

The MCCP (Multi Cloud Controller Proxy) is the controller which can provide the required tokens. Begin the process by logging into your MCCP.

bx login -a mccp.DEDICATED.bluemix.net  

Step 2: Target the organization and space.

bx target -o exmporg -s exmpspace  

Step 3: Get the UAA Bearer token.

The UAA Bearer token will let you request the API Token. To view your current tokens run:

bx iam oauth-tokens  

This command produces output similar, but not identical to this:

IAM token:  Bearer eyJraWQiOiIyzude0qC1IZ1Xe7rIqwQpWfnOgbh5ikdARNJ9qzmgZXIiLCJwYXNzd29yZCIsImNmIiZXIiLCJwYXNzd29yZCIsImNmIiwidWFhIiwib3BlbmlkIl1iemlkIjoidWFhIiwiYXVkIjpb82jnjkiTYSD  
UAA token:  bearer eyJhbGciOiJIUzI1Nia2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCIsImNmIiwidWFhIiwib3BlbmlkIl19.gLOr1-5MhA0EXryoIdrj5xQMTs4joE7_Rn52JRnTSTc  

The tokens run over multiple lines; we've shortened the examples for readability.

The text you want is on the UAA token line and starts after the word bearer. In the above example, that would be the text:

eyJhbGciOiJIUzI1Nia2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCIsImNmIiwidWFhIiwib3BlbmlkIl19.gLOr1-5MhA0EXryoIdrj5xQMTs4joE7_Rn52JRnTSTc  

This text is the UAA Bearer Token and You'll need it for the next step.

Step 4: Requesting the Compose API Token

The obtaining of the API token is performed by a REST POST request. The command to perform this is:

bx cf curl -X POST /annotation/access_token -d { "access_token": "UAA Bearer Token" }  

Using our example token from the previous step, this command would be run like so:

$ bx cf curl -X POST /annotation/access_token -d { "access_token": "eyJhbGciOiJIUzI1Nia2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCIsImNmIiwidWFhIiwib3BlbmlkIl19.gLOr1-5MhA0EXryoIdrj5xQMTs4joE7_Rn52JRnTSTc" }
Invoking 'cf curl -X POST /annotation/access_token -d {"access_token": "eyJhbGciOiJIUzI1Nia2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCIsImNmIiwidWFhIiwib3BlbmlkIl19.gLOr1-5MhA0EXryoIdrj5xQMTs4joE7_Rn52JRnTSTc"}'...

{
   "access_token": "bmmcpNTZlYTBmNzQ1NmU2ODRiNTVmMzFhZWYxMWEyNTMzNDE1MTI2ZWI2MmY0ZWE3ZDkwODgyMzM0MWM0OWE2NDE2NzBjZjAwMzQ5OTQ5OTYzNmI5YTFjOTJmNTBmZDY5ZTk3YWE1ZDBiMWZkNGY1OTdjNzQzOWUwMzE0OGMxMGM5YjggIGNyZWF0ZXBvcnRhbC5zaAo="
}

The access token here is the Compose Dedicated API Token and should be handled securely for deployment to applications which require it.

Alternatively: Steps 3 and 4 Combined

You may wish to script the generation of the Compose API Token. This one-line script can be saved as a shell script and upon running will complete steps 3 and 4, returning a Compose API Token.

TOKEN=`bx iam oauth-tokens | awk '$1=="UAA" { print $4; }'`; bx cf curl -X POST /annotation/access_token -d "{ \"access_token\": $TOKEN }"