ACME API endpoint: 403 Permission check failed (user != root@pam) - despite user being root@pam

c10l

New Member
Jun 20, 2022
8
2
3
The title says pretty much it all. :)

I'm writing an API client and a Terraform provider for Proxmox VE. So far the `version` and `storage` endpoints are working (albeit not necessarily complete :D ). I'm now trying to create an ACME account but I get a `403 Permission check failed (user != root@pam)` error.

The API token I'm using does belong to `root@pam` though. I tried setting privilege separation on and off but it had no effect.
 
The permission checks for root@pam check for root@pam exactly.
An API token has the user root@pam!<token-id> so it doesn't match.

So API tokens don't work for parts of the API that require root@pam.
 
So how do I use that API endpoint? Or if it's unusable, why does it even exist?
 
Use the user root@pam directly instead of an API Token for that user.
 
Ok, thanks. I'll see if I can find the docs on how to do that.

Are there plans to make this role-based and allow these permissions to be given to other users, or at least to a root API token that can do only that? It's not great that I need to give my API clients full superuser powers just to create an ACME account. It breaks the principle of least privilege spectacularly. :)
 
There are plans to limit requirements for root@pam, and make it possible for more parts of the API to be used by other users.
But when and how that will be implemented, I can't say.

A great first step should be: https://pve.proxmox.com/wiki/Proxmox_VE_API
Basically authenticate and get a ticket.
 
Hi @mira !

I have succeeded in implementing the ticket-based workflow for the ACME endpoints. However, if the `root` user has MFA enabled, I can't get a ticket.

Is there a way to make this work?
Otherwise I'll have to disable MFA for the root user, further reducing my security posture.

Thanks!
 
  • Like
Reactions: c10l
we could also re-evaluate whether that endpoint even needs root@pam, given that neither configuring the plugins nor ordering/renewing/deleting an ACME cert requires it (those all "just" require "Sys.Modify" on "/")
 
  • Like
Reactions: c10l
Thanks @mira , I'll have a look.

@fabian that would be ideal, since at this point I'm probably looking at implementing a TOTP client on my Terraform provider, and requiring the TOTP seed as an argument, which is less than ideal. Either that, or requiring MFA to be disabled which is also not great.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!