Working with vCenter API with read-only user

View Only

Back to discussions

Expand all | Collapse all

Working with vCenter API with read-only user

1. Working with vCenter API with read-only user

Recommend
Bartosz Suchecki
Posted Jun 27, 2024 02:42 PM

Reply Reply Privately
Hi, I wanted to ask if behaviour I noticed is expected or not.

Basically I wanted to get info about ESXi node version connected to cluster. Listing nodes using "/api/vcenter/host" works ok.

When i try "/software/installed-components" or "/api/esx/software" I get response:

{ "error_type": "UNAUTHORIZED", "messages": [] }

It start to work when I change user role to administrator but Its not what I want to use for security reason. Why these API endpoints dont work with read-only user?
2. RE: Working with vCenter API with read-only user

Recommend
Thomas Rodrigues
Posted Jul 01, 2024 09:54 AM

Reply Reply Privately
It`s not possible to use a read-only user to do this. To follow the principle of least privilege you can create a custom role and give add this privilege to it: VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read.

Also, Instead of using the /api/esx/software you can use /api/esx/hosts/host-xxxxx/software/installed-components.

The /api/esx/software only makes sense to query esxi hosts who aren`t connect to a vcenter.

https://developer.broadcom.com/xapis/vsphere-automation-api/latest/esx/api/esx/software/get/

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4652CD42-A5AA-45C3-92B0-2164843E26D4.html

Original Message
3. RE: Working with vCenter API with read-only user

Recommend
Thomas Rodrigues
Posted Jul 01, 2024 10:07 AM

Reply Reply Privately
It`s not possible to use a read-only user to do this. You can create a custom role with and add the following privilege VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read

Also, if your esxi host is connected to a vcenter server, you should use the api path https://{api_host}/api/esx/hosts/{host-xxxxx}/software/installed-components

The https://{api_host}/api/esx/software is recommended when you have standalone esxi hosts.

Original Message
4. RE: Working with vCenter API with read-only user

Recommend
Thomas Rodrigues
Posted Jul 01, 2024 10:08 AM

Reply Reply Privately
It`s not possible to use a read-only user to do this. You can create a custom role with and add the following privilege VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read

Also, if your esxi host is connected to a vcenter server, you should use the api path https://{api_host}/api/esx/hosts/{host-xxxxx}/software/installed-components

The https://{api_host}/api/esx/software is recommended when you have standalone esxi hosts.

Original Message

VMware {code}

Working with vCenter API with read-only user

Bartosz SucheckiJun 27, 2024 02:42 PM

Thomas RodriguesJul 01, 2024 09:54 AM

Thomas RodriguesJul 01, 2024 10:07 AM

Thomas RodriguesJul 01, 2024 10:08 AM

1. Working with vCenter API with read-only user

2. RE: Working with vCenter API with read-only user

3. RE: Working with vCenter API with read-only user

4. RE: Working with vCenter API with read-only user