Here are the options for providing credentials to the CF CLI for authentication to an API endpoint.
Your command shell keeps a history of the commands you run. Therefore, you should be careful when you provide credentials to command-line programs.
cf login can be used in both interactive and non-interactive mode. To use interactive mode, omit flags and you will be prompted to provide input. In this mode, your sensitive information (password) is not stored in the command shell history. You can see this by running:
You will be prompted to provide a username and password. If you scroll through the command shell history (using the up-arrow key), you will see the
cf login command but will not see your username or password.
cf login also supports single use (one-time) passcodes. This flow directs you to authenticate via a web browser to obtain a passcode. You then paste this passcode into the terminal window. Because you are authenticating via a browser, you have mitigated the risk of your password ending up in the command shell history.
You can try this via:
cf login --sso
The CF CLI will output a URL. You should copy and paste this in a browser, where you’ll be prompted to authenticate in exchange for a passcode. You can copy and paste the passcode provided into the terminal window to complete authentication.
The one-time passcode flow requires you to open pages in a browser. For this reason, you should not use
cf login --sso on the exam as it may take you to a non-approved URL.
Non-interactive authentication should be used when automating interactions with Cloud Foundry (such as in CI/CD implementations). This can be achieved using
cf auth or
cf login with parameters.
cf auth, you can set the
CF_PASSWORD environment variables or you can pass in a username and password as parameters. However, using the environment variables is typically preferred, provided you can set them without adding them to the command shell history where the automation is running.
When you authenticate with Cloud Foundry, the CLI caches a token locally on your machine. As you make requests (like pushing an app), the CLI is including this token in your requests. By doing this, you do not have to authenticate on every request. This means you can continue to work and will only need to re-authenticate when your token expires and can’t be refreshed. However, this also means you need to be mindful to log out when appropriate to ensure someone cannot use your computer for nefarious purposes.
If you run
cf target, you will see that you are authenticated. You can then log out using:
If you re-run
cf target, you will see you are no longer logged in.