Hello,
I have recently set up PBS and am quite excited by it.
Now I would like to create a script on my PVE that checks that each of my backup enrolled VMs has at least one recent verified backup on my PBS. It looks like I can do that by querying the PVE API at this location:
I think my api token+user doesn't have enough permission though, since when running via API as a less privileged token it returns this:
I have granted the user+api audit permission (PVEAuditor) over the nodes and backup storage, but it seems that is not enough. (I also tried some various other configurations that did not work.) Here are my current permissions:
What are the minimum needed permissions to get this api to return data? The api call documentation states "You need read access for the volume" (which seems perhaps a bit much for just querying metadata like upload time & verified state), but even for full volume read permission, it's not clear to me how to grant this. (I did try various permissions over /storage/<PBS-STORAGE> and /vms and even / but nothing I tried resolved it)
I have recently set up PBS and am quite excited by it.
Now I would like to create a script on my PVE that checks that each of my backup enrolled VMs has at least one recent verified backup on my PBS. It looks like I can do that by querying the PVE API at this location:
/nodes/<NODE>/storage/<PBS-STORAGE>/content Based on running pvesh as root, it should inform me of data like:
JSON:
[
{
"content" : "backup",
"ctime" : 1773871060,
"encrypted" : "...",
"format" : "pbs-vm",
"notes" : "...",
"size" : 42949674144,
"subtype" : "qemu",
"verification" : {
"state" : "ok",
"upid" : "..."
},
"vmid" : 1002,
"volid" : "<PBS-STORAGE>:backup/vm/1002/2026-03-18T21:57:40Z"
},
...
]I think my api token+user doesn't have enough permission though, since when running via API as a less privileged token it returns this:
JSON:
{
"data": []
}I have granted the user+api audit permission (PVEAuditor) over the nodes and backup storage, but it seems that is not enough. (I also tried some various other configurations that did not work.) Here are my current permissions:
JSON:
[
{
"path" : "/nodes",
"propagate" : 1,
"roleid" : "PVEAuditor",
"type" : "user",
"ugid" : "backup-status-checker@pve"
},
{
"path" : "/nodes",
"propagate" : 1,
"roleid" : "PVEAuditor",
"type" : "token",
"ugid" : "backup-status-checker@pve!backup-status-checker"
},
{
"path" : "/storage/<PBS-STORAGE>",
"propagate" : 1,
"roleid" : "PVEAuditor",
"type" : "user",
"ugid" : "backup-status-checker@pve"
},
{
"path" : "/storage/<PBS-STORAGE>",
"propagate" : 1,
"roleid" : "PVEAuditor",
"type" : "token",
"ugid" : "backup-status-checker@pve!backup-status-checker"
}
]What are the minimum needed permissions to get this api to return data? The api call documentation states "You need read access for the volume" (which seems perhaps a bit much for just querying metadata like upload time & verified state), but even for full volume read permission, it's not clear to me how to grant this. (I did try various permissions over /storage/<PBS-STORAGE> and /vms and even / but nothing I tried resolved it)