12 Replies Latest reply on Jul 30, 2019 4:56 AM by daphnissov

    Create a New API User

    Dfitz Novice

      Only 'Administrator@vsphere.local' has permissions to authenticate and use the API.

      Is there a way to create a new API user?

        • 1. Re: Create a New API User
          daphnissov Guru
          vExpertCommunity Warriors

          There are no special API permissions and administrator@vsphere.local is not the only user with them. What you can do with the API depends on the role assigned to you through vCenter.

          • 2. Re: Create a New API User
            Dfitz Novice

            daphnissov  Between users, groups, roles, and identity sources, it can get confusing.  Nothing has worked so far which is why I'm asking here on the forums.  Do you have steps you can share?

            • 3. Re: Create a New API User
              daphnissov Guru
              Community WarriorsvExpert

              As I sort of mentioned, API permissions are nothing "special". In vCenter, you have to assign a user to a role. That user can come from an external directory service like AD or it can come from an internal source like the default SSO domain (vsphere.local). When you assign a user to a role, it has permissions commuted to it depending on where that role is attached. Permissions then propagate from that parent object to its children. From the API perspective, the operation you wish to perform still needs to be allowed by that role with which you're authenticating. For example, if you're trying to make a change to a VM and you have read-only access, that change will obviously fail. And it'll fail just like it would in the UI.

              • 4. Re: Create a New API User
                Dfitz Novice

                Created a new user and assigned the 'Administrator' role.  Logged into the API Explorer and hit the GET commands on several commands in vapi, appliance, vcenter, and cis API's.  Every time getting the same 401 response. { "type": "com.vmware.vapi.std.errors.unauthorized", "value": { "messages": [ { "args": [], "default_message": "Unable to authorize user", "id": "vapi.security.authorization.invalid" } ] } }   

                This is a fresh vCenter appliance installed with Embeded PSC.   

                Going through the same steps with 'administrator@vsphere.local' returns content and a 200 response.

                • 5. Re: Create a New API User
                  daphnissov Guru
                  vExpertCommunity Warriors

                  Did you login in the upper-right corner? Can you create a valid session with a POST to /com/vmware/cis/session? This may also be easier with a REST client like Postman. There are already pre-built collections out there for you to use (Google) which makes it very simple to get started.

                  • 6. Re: Create a New API User
                    Dfitz Novice

                    I can login and logout in the upper right corner without any issues.  I'm comfortable using Ansible URI, but postman is a nice utility that I've used before.

                    • 7. Re: Create a New API User
                      Dfitz Novice

                      No way to do this in vCenter 6.5.

                       

                      For 6.7 the user must be in "SSO->Groups->Administrators" to create a valid API session and run some GET commands.   

                      This answers my OP.

                       

                      The user is not able to Create/Modify/Delete local users even though they have the vCenter Appliance Role 'superAdmin'.    

                      Cannot perform these actions through the API or UI.  

                      The UI is unavailable if they don't have permissions in the vCenter Object.  I have to manually add them to a different role defined at that location.

                      Those are separate issues and I'll start a new thread.

                       

                      Appliance Role, Object Role, and SSO Groups, does this confuse anyone else?

                      • 8. Re: Create a New API User
                        daphnissov Guru
                        Community WarriorsvExpert

                        Dfitz wrote:

                         

                         

                        For 6.7 the user must be in "SSO->Groups->Administrators" to create a valid API session and run some GET commands.

                        This answers my OP.

                         

                        That's not accurate. I have a user in AD which is not in the SSO Administrators group who is a vCenter-level administrator and I can use the API successfully. I don't have any 6.5 vCenter environments laying around to test, but this does work in 6.7. And even if I have a user with read-only permissions at the vCenter level (again, not in any SSO groups whatsoever), I can still use the REST API to perform operations on which I have permission. So, for example, I can list objects but I can't create a new VM.

                        • 9. Re: Create a New API User
                          Dfitz Novice

                          not in the SSO Administrators group who is a vCenter-level administrator and I can use the API successfully.

                          It does not work for a local user.  A local user not in SSO and assigned the Administrator role cannot use the API.

                          Couple of things to note.

                           

                          SSO Administrators group is assigned the vCenter Object Administrator role by default.  This means it should not matter if assigned the role directly or through the SSO group, but it does.   

                          There must be something else I'm not seeing yet.

                          I don't have AD on this network, but I will make one.  I'm not sure why that would make a difference, but it clearly does.

                          • 10. Re: Create a New API User
                            daphnissov Guru
                            Community WarriorsvExpert

                            It does not work for a local user.  A local user not in SSO and assigned the Administrator role cannot use the API.

                            I'm sorry, but I'm also not able to confirm this is true. I have created a user in the SSO domain (vsphere.local) named "billy" and assigned him read-only permissions at the root vCenter object. Those permissions I set to propagate to children. I have the same level of REST API permissions as do a user from an external identity source with the same role assigned.

                            • 11. Re: Create a New API User
                              hideyori Novice

                              Hello Dahphinssov

                               

                              I have the same issue as dfitz on vCenter VCSA 6.7, only if the <Username>@vsphere.local user is in the SSO > Administrators group it works, otherwise not.

                              If you create a fresh API user, where exactly do you give permissions so he can at least list information with GET command?

                               

                              Regards

                              Hideyori

                              • 12. Re: Create a New API User
                                daphnissov Guru
                                vExpertCommunity Warriors

                                You should instead use users from an external directory source. Don't create internal users to the SSO domain if that's the case.