How to download the pull secret from Red Hat Hybrid Cloud Console using a REST API call?

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat Hybrid Cloud Console
  • Pull Secret

Issue

  • How to download the pull secret from <cloud.redhat.com/openshift/install/pull-secret> using a REST API call?
  • How to automate the download of the pull secret needed for OpenShift 4 installs?
  • Trying to get the pull secret via REST API call using user and password is not working with error "Client not allowed for direct access grants".

Resolution

The api for <This content is not included.https://cloud.redhat.com/openshift/> is at <Content from api.openshift.com is not included.https://api.openshift.com/>. The pull secret endpoint is POST /api/accounts_mgmt/v1/access_token.

It is needed to authenticate using a Bearer token, which can be obtained from the second section at <This content is not included.https://cloud.redhat.com/openshift/token>. This link details using a long lived access token, which is obtained there too. 

$ export BEARER=$(curl \
--silent \
--data-urlencode "grant_type=refresh_token" \
--data-urlencode "client_id=cloud-services" \
--data-urlencode "refresh_token=${OFFLINE_ACCESS_TOKEN}" \
https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token | \
jq -r .access_token)

$ curl -X POST https://api.openshift.com/api/accounts_mgmt/v1/access_token --header "Content-Type:application/json" --header "Authorization: Bearer $BEARER" | jq

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "<snip>",
      "email": "<user's email>"
    },
    "quay.io": {
      "auth": "<snip>",
      "email": "<user's email>"
    },
    "registry.connect.redhat.com": {
      "auth": "<snip>",
      "email": "<user's email>"
    },
    "registry.redhat.io": {
      "auth": "<snip>",
      "email": "<user's email>"
    }
  }
}

Root Cause

The api for <This content is not included.https://cloud.redhat.com/openshift/> is at <Content from api.openshift.com is not included.https://api.openshift.com/>. The pull secret endpoint is POST /api/accounts_mgmt/v1/access_token.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.