ACME API endpoint: 403 Permission check failed (user != root@pam) - despite user being root@pam

c10l

New Member
Jun 20, 2022
5
2
1
The title says pretty much it all. :)

I'm writing an API client and a Terraform provider for Proxmox VE. So far the `version` and `storage` endpoints are working (albeit not necessarily complete :D ). I'm now trying to create an ACME account but I get a `403 Permission check failed (user != root@pam)` error.

The API token I'm using does belong to `root@pam` though. I tried setting privilege separation on and off but it had no effect.
 

mira

Proxmox Staff Member
Staff member
Aug 1, 2018
1,774
195
83
The permission checks for root@pam check for root@pam exactly.
An API token has the user root@pam!<token-id> so it doesn't match.

So API tokens don't work for parts of the API that require root@pam.
 

c10l

New Member
Jun 20, 2022
5
2
1
So how do I use that API endpoint? Or if it's unusable, why does it even exist?
 

mira

Proxmox Staff Member
Staff member
Aug 1, 2018
1,774
195
83
Use the user root@pam directly instead of an API Token for that user.
 

c10l

New Member
Jun 20, 2022
5
2
1
Ok, thanks. I'll see if I can find the docs on how to do that.

Are there plans to make this role-based and allow these permissions to be given to other users, or at least to a root API token that can do only that? It's not great that I need to give my API clients full superuser powers just to create an ACME account. It breaks the principle of least privilege spectacularly. :)
 

mira

Proxmox Staff Member
Staff member
Aug 1, 2018
1,774
195
83
There are plans to limit requirements for root@pam, and make it possible for more parts of the API to be used by other users.
But when and how that will be implemented, I can't say.

A great first step should be: https://pve.proxmox.com/wiki/Proxmox_VE_API
Basically authenticate and get a ticket.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!