VMware {code}

 View Only
  • 1.  Working with vCenter API with read-only user

    Posted Jun 27, 2024 02:42 PM

    Hi, I wanted to ask if behaviour I noticed is expected or not.

    Basically I wanted to get info about ESXi node version connected to cluster. Listing nodes using "/api/vcenter/host" works ok.

    When i try "/software/installed-components" or "/api/esx/software" I get response:

    {
        "error_type": "UNAUTHORIZED",
        "messages": []
    }

    It start to work when I change user role to administrator but Its not what I want to use for security reason. Why these API endpoints dont work with read-only user?



  • 2.  RE: Working with vCenter API with read-only user

    Posted Jul 01, 2024 09:54 AM

    It`s not possible to use a read-only user to do this. To follow the principle of least privilege you can create a custom role  and give add this privilege to it: VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read. 

    Also, Instead of using the /api/esx/software you can use /api/esx/hosts/host-xxxxx/software/installed-components.

    The /api/esx/software only makes sense to query esxi hosts who aren`t connect to a vcenter. 

    https://developer.broadcom.com/xapis/vsphere-automation-api/latest/esx/api/esx/software/get/

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4652CD42-A5AA-45C3-92B0-2164843E26D4.html




  • 3.  RE: Working with vCenter API with read-only user

    Posted Jul 01, 2024 10:07 AM

    It`s not possible to use a read-only user to do this. You can create a custom role with and add the following privilege VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read


    Also, if your esxi host is connected to a vcenter server, you should use the api path https://{api_host}/api/esx/hosts/{host-xxxxx}/software/installed-components

    The https://{api_host}/api/esx/software is recommended when you have standalone esxi hosts.




  • 4.  RE: Working with vCenter API with read-only user

    Posted Jul 01, 2024 10:08 AM

    It`s not possible to use a read-only user to do this. You can create a custom role with and add the following privilege VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read


    Also, if your esxi host is connected to a vcenter server, you should use the api path https://{api_host}/api/esx/hosts/{host-xxxxx}/software/installed-components

    The https://{api_host}/api/esx/software is recommended when you have standalone esxi hosts.