API token permission to create VMs

D

dsexton18

Member
Jul 3, 2023
41
1
8
I am trying setup the proper api token permission for a user to create vms. I added the below with role PVEAdmin. But still get the below error.
/nodes
/pool
/storage
/vms
/storage/local
/storage/vm_data

Error creating VM: error creating VM: 403 Permission check failed, error status: {"data":null} (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug: ide2:vm_data:iso/Rocky-8.8-x86_64-dvd1.iso,media=cdrom kvm:true machine: memory:2048 name:packer-64aaad07-97eb-0b06-9f7c-87c4775085f4 net0:virtio=DE:DB:5C:B7:B6:A4,bridge=vmbr0,firewall=false onboot:false ostype:l26 scsi0:local-lvm:100,format=raw,iothread=false scsihw:virtio-scsi-single sockets:1 startup: tags: vmid:102])
Build 'proxmox.autogenerated_1' errored after 45 milliseconds 36 microseconds: Error creating VM: error creating VM: 403 Permission check failed, error status: {"data":null} (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug: ide2:vm_data:iso/Rocky-8.8-x86_64-dvd1.iso,media=cdrom kvm:true machine: memory:2048 name:packer-64aaad07-97eb-0b06-9f7c-87c4775085f4 net0:virtio=DE:DB:5C:B7:B6:A4,bridge=vmbr0,firewall=false onboot:false ostype:l26 scsi0:local-lvm:100,format=raw,iothread=false scsihw:virtio-scsi-single sockets:1 startup: tags: vmid:102])
 
Hello, how exactly are you using the API? Did you login with your api token?
 
Maximiliano said:
Hello, how exactly are you using the API? Did you login with your api token?
Click to expand...
I am using packer to make a template. I was trying to setup packer to use the api token. I can create a template using user name and password. No luck using api token.
 
Note that when using a token to login you have to use USER@HOST!TOKEN instead of USER@HOST, where TOKEN is the token name, see [1].

Additionally, the permissions that are granted to a token can only be a subset of the permissions the user already has. Did you check that your user also has at least the PVEAdmin role?

[1] https://pve.proxmox.com/wiki/Proxmox_VE_API#API_Tokens
 
I was also running into the 403 when creating a VM through the API on Proxmox 8.

Creating a VM works fine:
getattr(api_node, 'qemu').create(**{'name': 'new-name', 'vmid': 286, 'sockets': 1, 'numa': 0, 'ostype': 'l26', 'boot': 'cd', 'cores': 6, 'memory': 16384, 'scsihw': 'virtio-scsi-pci'})

But not if we add a network interface:
getattr(api_node, 'qemu').create(**{'name': 'new-name', 'vmid': 286, 'sockets': 1, 'numa': 0, 'ostype': 'l26', 'boot': 'cd', 'cores': 6, 'memory': 16384, 'scsihw': 'virtio-scsi-pci', 'net0': 'virtio=11:22:33:44:55:66,bridge=vmbr2,firewall=1'})
*** proxmoxer.core.ResourceException: 403 Forbidden: b'{"data":null}'

This used to work fine with Proxmox 6 & 7.

Apparently we need more powers than just PVEVMAdmin for that on Proxmox 8: when giving PVEAdmin powers, creating works fine.

See the Access Control bits in https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.0 -- look for SDN.Use. Giving my user the additional PVESDNAdmin role is (more than) sufficient to make things work again.

Cheers,
Walter Doekes
OSSO B.V.
 
You must log in or register to reply here.
Top Bottom