API token permissions problem

[iggy]

Hi,
I'd like to monitor Proxmox VE (8.1.4) through zabbix monitoring, so I created user and associated API token. I gave permissions to API token:
/, /nodes, /nodes/node-1 and /vms as "PVEAuditor".
I still get 403 errors when getting parameters through API, like this:
"GET /api2/json/nodes/node-1/services HTTP/1.1" 403 13
"GET /api2/json/nodes/node-1/disks/list HTTP/1.1" 403 13
"GET /api2/json/nodes/node-1/status HTTP/1.1" 403 13
"GET /api2/json/nodes/node-1/disks/zfs HTTP/1.1" 403 13

For some reason I get 200 OK for this:
"GET /api2/json/nodes/node-1/storage HTTP/1.1" 200

Which permissions I must to add ?

 

[VictorSTS]

Are you using privilege separation?
Which permissions does the user have?
Remember that an API token can't have more privileges than it's associated user (check "inheritance" here [1]).

[1] https://pve.proxmox.com/wiki/User_Management#pveum_permission_management

 

[iggy]

I see "Privilege separation" checked in properties of Api token, though have no idea, what is it ?
Must I give user same permissions as for token ? (seems like no permissions at the moment)

 

[VictorSTS]

I see "Privilege separation" checked in properties of Api token, though have no idea, what is it ?

Check the docs [1]

Must I give user same permissions as for token ? (seems like no permissions at the moment)

Exactly: an API token may have the same permissions as the user or less, but never more. If your user currently has no permissions, the effective permissions for the API key are none.

If it is still unclear, I suggest that you try to make it work with a user and then try with an API token.

[1] https://pve.proxmox.com/wiki/User_Management#pveum_tokens