ACME API endpoint: 403 Permission check failed (user != root@pam) - despite user being root@pam

[c10l]

The title says pretty much it all.

I'm writing an API client and a Terraform provider for Proxmox VE. So far the `version` and `storage` endpoints are working (albeit not necessarily complete ). I'm now trying to create an ACME account but I get a `403 Permission check failed (user != root@pam)` error.

The API token I'm using does belong to `root@pam` though. I tried setting privilege separation on and off but it had no effect.

 

[mira]

The permission checks for root@pam check for root@pam exactly.
An API token has the user root@pam!<token-id> so it doesn't match.

So API tokens don't work for parts of the API that require root@pam.

 

[c10l]

So how do I use that API endpoint? Or if it's unusable, why does it even exist?

 

[mira]

Use the user root@pam directly instead of an API Token for that user.

 

[c10l]

Ok, thanks. I'll see if I can find the docs on how to do that.

Are there plans to make this role-based and allow these permissions to be given to other users, or at least to a root API token that can do only that? It's not great that I need to give my API clients full superuser powers just to create an ACME account. It breaks the principle of least privilege spectacularly.

 

[mira]

There are plans to limit requirements for root@pam, and make it possible for more parts of the API to be used by other users.
But when and how that will be implemented, I can't say.

A great first step should be: https://pve.proxmox.com/wiki/Proxmox_VE_API
Basically authenticate and get a ticket.

 

[c10l]

Thanks!

 

[c10l]

Hi @mira !

I have succeeded in implementing the ticket-based workflow for the ACME endpoints. However, if the `root` user has MFA enabled, I can't get a ticket.

Is there a way to make this work?
Otherwise I'll have to disable MFA for the root user, further reducing my security posture.

Thanks!

 

[mira]

I'd suggest looking at how the built-in GUI does it. With both the developer tools of your browser and the code: https://git.proxmox.com/?p=pve-manager.git; and https://git.proxmox.com/?p=proxmox-widget-toolkit.git

The GUI uses the API itself, so you can inspect every API call with the browser and see which parameters are sent and the response.

 

[fabian]

we could also re-evaluate whether that endpoint even needs root@pam, given that neither configuring the plugins nor ordering/renewing/deleting an ACME cert requires it (those all "just" require "Sys.Modify" on "/")

 

[c10l]

Thanks @mira , I'll have a look.

@fabian that would be ideal, since at this point I'm probably looking at implementing a TOTP client on my Terraform provider, and requiring the TOTP seed as an argument, which is less than ideal. Either that, or requiring MFA to be disabled which is also not great.

 

[contabosucks]

Use the user root@pam directly instead of an API Token for that user.

Hi @mira,

i ran into this issue with using "telmate/proxmox" terraform provider. i'm trying to provision privileged lxc containers since that seems to be the only workaround to spin up k3s on lxc. since the proxmox api is telling me, that "changing feature flags for privileged container is only allowed for root@pam" i tried to provisioning via the api directly as root@pam (without token) . but still the same error message comes up. to be clear: i still use terraform but now with user/password instead of access token.

Thanks for your help!

PS: I'm on proxmox 7.4-17

 

[mira]

That should actually work since it's a check on the username. Can you provide a bit more detail? Which API call is it exactly, what are the parameters?

I'd suggest NOT running those in a container. Prefer running it inside a VM instead.