VMware vSphere

Only 'Administrator@vsphere.local' has permissions to authenticate and use the API.

Is there a way to create a new API user?

There are no special API permissions and administrator@vsphere.local is not the only user with them. What you can do with the API depends on the role assigned to you through vCenter.

daphnissov​  Between users, groups, roles, and identity sources, it can get confusing.  Nothing has worked so far which is why I'm asking here on the forums.  Do you have steps you can share?

As I sort of mentioned, API permissions are nothing "special". In vCenter, you have to assign a user to a role. That user can come from an external directory service like AD or it can come from an internal source like the default SSO domain (vsphere.local). When you assign a user to a role, it has permissions commuted to it depending on where that role is attached. Permissions then propagate from that parent object to its children. From the API perspective, the operation you wish to perform still needs to be allowed by that role with which you're authenticating. For example, if you're trying to make a change to a VM and you have read-only access, that change will obviously fail. And it'll fail just like it would in the UI.

Created a new user and assigned the 'Administrator' role.  Logged into the API Explorer and hit the GET commands on several commands in vapi, appliance, vcenter, and cis API's.  Every time getting the same 401 response. { "type": "com.vmware.vapi.std.errors.unauthorized", "value": { "messages": [ { "args": [], "default_message": "Unable to authorize user", "id": "vapi.security.authorization.invalid" } ] } }   

This is a fresh vCenter appliance installed with Embeded PSC.   

Going through the same steps with 'administrator@vsphere.local' returns content and a 200 response.

Did you login in the upper-right corner? Can you create a valid session with a POST to /com/vmware/cis/session? This may also be easier with a REST client like Postman. There are already pre-built collections out there for you to use (Google) which makes it very simple to get started.

I can login and logout in the upper right corner without any issues.  I'm comfortable using Ansible URI, but postman is a nice utility that I've used before.

No way to do this in vCenter 6.5.

For 6.7 the user must be in "SSO->Groups->Administrators" to create a valid API session and run some GET commands.   

This answers my OP.

The user is not able to Create/Modify/Delete local users even though they have the vCenter Appliance Role 'superAdmin'.    

Cannot perform these actions through the API or UI.  

The UI is unavailable if they don't have permissions in the vCenter Object.  I have to manually add them to a different role defined at that location.

Those are separate issues and I'll start a new thread.

Appliance Role, Object Role, and SSO Groups, does this confuse anyone else?

Dfitz wrote:

For 6.7 the user must be in "SSO->Groups->Administrators" to create a valid API session and run some GET commands.

This answers my OP.

That's not accurate. I have a user in AD which is not in the SSO Administrators group who is a vCenter-level administrator and I can use the API successfully. I don't have any 6.5 vCenter environments laying around to test, but this does work in 6.7. And even if I have a user with read-only permissions at the vCenter level (again, not in any SSO groups whatsoever), I can still use the REST API to perform operations on which I have permission. So, for example, I can list objects but I can't create a new VM.

not in the SSO Administrators group who is a vCenter-level administrator and I can use the API successfully.

It does not work for a local user.  A local user not in SSO and assigned the Administrator role cannot use the API.

Couple of things to note.

SSO Administrators group is assigned the vCenter Object Administrator role by default.  This means it should not matter if assigned the role directly or through the SSO group, but it does.   

There must be something else I'm not seeing yet.

I don't have AD on this network, but I will make one.  I'm not sure why that would make a difference, but it clearly does.

It does not work for a local user.  A local user not in SSO and assigned the Administrator role cannot use the API.

I'm sorry, but I'm also not able to confirm this is true. I have created a user in the SSO domain (vsphere.local) named "billy" and assigned him read-only permissions at the root vCenter object. Those permissions I set to propagate to children. I have the same level of REST API permissions as do a user from an external identity source with the same role assigned.

Hello Dahphinssov

I have the same issue as dfitz on vCenter VCSA 6.7, only if the <Username>@vsphere.local user is in the SSO > Administrators group it works, otherwise not.

If you create a fresh API user, where exactly do you give permissions so he can at least list information with GET command?

Regards

Hideyori

You should instead use users from an external directory source. Don't create internal users to the SSO domain if that's the case.

I have done that, created a AD domain user, but I don't know where to apply the correct permissions, it only works if the user is in the Administrator group of vsphere.local.

I'm a bit late to the party, however it needs to be a global permission.
in vCenter: Administration>Access Control: Global Permission> Add