API token permission to create VMs

D

dsexton18

Member
Jul 3, 2023
34
1
8
I am trying setup the proper api token permission for a user to create vms. I added the below with role PVEAdmin. But still get the below error.
/nodes
/pool
/storage
/vms
/storage/local
/storage/vm_data

Error creating VM: error creating VM: 403 Permission check failed, error status: {"data":null} (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:packer ephemeral build VM hotplug: ide2:vm_data:iso/Rocky-8.8-x86_64-dvd1.iso,media=cdrom kvm:true machine: memory:2048 name:packer-64aaad07-97eb-0b06-9f7c-87c4775085f4 net0:virtio=DE:DB:5C:B7:B6:A4,bridge=vmbr0,firewall=false onboot:false ostype:l26 scsi0:local-lvm:100,format=raw,iothread=false scsihw:virtio-scsi-single sockets:1 startup: tags: vmid:102])
Build 'proxmox.autogenerated_1' errored after 45 milliseconds 36 microseconds: Error creating VM: error creating VM: 403 Permission check failed, error status: {"data":null} (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:packer ephemeral build VM hotplug: ide2:vm_data:iso/Rocky-8.8-x86_64-dvd1.iso,media=cdrom kvm:true machine: memory:2048 name:packer-64aaad07-97eb-0b06-9f7c-87c4775085f4 net0:virtio=DE:DB:5C:B7:B6:A4,bridge=vmbr0,firewall=false onboot:false ostype:l26 scsi0:local-lvm:100,format=raw,iothread=false scsihw:virtio-scsi-single sockets:1 startup: tags: vmid:102])
 
Hello, how exactly are you using the API? Did you login with your api token?
 
Maximiliano said:
Hello, how exactly are you using the API? Did you login with your api token?
Click to expand...
I am using packer to make a template. I was trying to setup packer to use the api token. I can create a template using user name and password. No luck using api token.
 
Note that when using a token to login you have to use USER@HOST!TOKEN instead of USER@HOST, where TOKEN is the token name, see [1].

Additionally, the permissions that are granted to a token can only be a subset of the permissions the user already has. Did you check that your user also has at least the PVEAdmin role?

[1] https://pve.proxmox.com/wiki/Proxmox_VE_API#API_Tokens
 
I was also running into the 403 when creating a VM through the API on Proxmox 8.

Creating a VM works fine:
getattr(api_node, 'qemu').create(**{'name': 'new-name', 'vmid': 286, 'sockets': 1, 'numa': 0, 'ostype': 'l26', 'boot': 'cd', 'cores': 6, 'memory': 16384, 'scsihw': 'virtio-scsi-pci'})

But not if we add a network interface:
getattr(api_node, 'qemu').create(**{'name': 'new-name', 'vmid': 286, 'sockets': 1, 'numa': 0, 'ostype': 'l26', 'boot': 'cd', 'cores': 6, 'memory': 16384, 'scsihw': 'virtio-scsi-pci', 'net0': 'virtio=11:22:33:44:55:66,bridge=vmbr2,firewall=1'})
*** proxmoxer.core.ResourceException: 403 Forbidden: b'{"data":null}'

This used to work fine with Proxmox 6 & 7.

Apparently we need more powers than just PVEVMAdmin for that on Proxmox 8: when giving PVEAdmin powers, creating works fine.

See the Access Control bits in https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.0 -- look for SDN.Use. Giving my user the additional PVESDNAdmin role is (more than) sufficient to make things work again.

Cheers,
Walter Doekes
OSSO B.V.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back