How do I connect PBS to PVE with api token

[Big4SMK]

According to the documentation here at the bottom, it is best to use API Tokens to connect PBS to PVE as storage. I can't get that to work though.
The steps I tried in order are:

1. Add user myvmhost@pbs, enabled and never expiring using <somepass>
2. Add apitoken for myvmhost@pbs with name myvmhost, the secret is <somsecret>
3. On my datastore 'data', I have added API Token permission for API Token 'myvmhost@pbs!myvmhost' with role Admin and propagate selected
4. Trying to add the datastore yields the following error
   

   root@MyVMHost:~# pvesm add pbs PBS --datastore /datastore/data --server 192.168.0.18 --fingerprint <somefingerprint> --username myvmhost@pbs\!myvmhost --password
   Enter Password:<somesecret>
   create storage failed: error during cfs-locked 'file-storage_cfg' operation: PBS: Cannot find datastore '/datastore/data', check permissions and existance!

I've tried with '/data' and 'data' as datastores too to no avail. To make sure the connection was working, I connected it as myvmhost@pbs and the user password instead of API token, and that is working fine.

I'm using the latest versions on both PVE and PBS from the no_subscription repo which is PVE 6.3-6 and PBS 1.0-9 today.

My two questions are:

• How do I add PBS as storage using an API token
• What is the minimum role if I want to be able to read/write backups
• Can I disable the user under configuration -> access control -> user management while still still using it's API token. My goal with this is to prohibit login using password and use API keys only for PVE.

 

[fabian]

According to the documentation here at the bottom, it is best to use API Tokens to connect PBS to PVE as storage. I can't get that to work though.
The steps I tried in order are:

1. Add user myvmhost@pbs, enabled and never expiring using <somepass>
2. Add apitoken for myvmhost@pbs with name myvmhost, the secret is <somsecret>
3. On my datastore 'data', I have added API Token permission for API Token 'myvmhost@pbs!myvmhost' with role Admin and propagate selected
4. Trying to add the datastore yields the following error
   

   root@MyVMHost:~# pvesm add pbs PBS --datastore /datastore/data --server 192.168.0.18 --fingerprint <somefingerprint> --username myvmhost@pbs\!myvmhost --password
   Enter Password:<somesecret>
   create storage failed: error during cfs-locked 'file-storage_cfg' operation: PBS: Cannot find datastore '/datastore/data', check permissions and existance!

I've tried with '/data' and 'data' as datastores too to no avail. To make sure the connection was working, I connected it as myvmhost@pbs and the user password instead of API token, and that is working fine.

I'm using the latest versions on both PVE and PBS from the no_subscription repo which is PVE 6.3-6 and PBS 1.0-9 today.

My two questions are:

• How do I add PBS as storage using an API token

use the full token ID as user (USER@REALM!TOKEN) and the token secret as displayed when generating the token as password. if that does not work, please post the exact error message. you can also try accessing the datastore with proxmox-backup-client directly by providing the token secret as PBS_PASSWORD environment variable.

• What is the minimum role if I want to be able to read/write backups

DatastoreBackup if you just want to read existing owned backups, and create new backups. DatastorePowerUser if you also want to delete backups from PVE (as opposed to creating a prune schedule on the PBS side)

• Can I disable the user under configuration -> access control -> user management while still still using it's API token. My goal with this is to prohibit login using password and use API keys only for PVE.

no, if you disable a user all its tokens are also no longer usable.

 

[Big4SMK]

Hi Fabian,

tldr; I was holding it wrong because of wrong expectations

I don't think I understand what you'd like to see/change in what I said. My code shows --username myvmhost@pbs\!myvmhost where the ! is escaped because of bash. That is how interpret your USER@REALM!TOKEN. Is that correct?

Apart from the create storage failed: error during cfs-locked 'file-storage_cfg' operation: PBS: Cannot find datastore '/datastore/data', check permissions and existance! in my output, there was no other error being displayed. What other output are you expecting?

I've tried using proxmox-backup-client list, and found something that is unexpected for me.

With the APIToken permission admin for myvmhost@pbs!myvmhost on the datastore data:

root@MyVMHost:~# export PBS_PASSWORD="<tokensecret>"
root@MyVMHost:~# export PBS_FINGERPRINT="<fingerprint>"
root@MyVMHost:~# proxmox-backup-client list --repository myvmhost@pbs\!myvmhost@192.168.0.18:data
Error: permission check failed

After adding User permission admin for myvmhost@pbs on the datastore data:

root@MyVMHost:~# proxmox-backup-client list --repository 'myvmhost@pbs!myvmhost@192.168.0.18:data'
┌─────────────────────┬──────────────────────────────────────────┬──────────────┬────────────────────────────────────────────────────────┐
│ group               │ last snapshot                            │ backup-count │ files                                                  │
╞═════════════════════╪══════════════════════════════════════════╪══════════════╪════════════════════════════════════════════════════════╡
│ ct/100              │ ct/100/2021-03-21T23:15:02Z              │            7 │ catalog.pcat1 client.log index.json pct.conf root.pxar │
├─────────────────────┼──────────────────────────────────────────┼──────────────┼────────────────────────────────────────────────────────┤
│ ct/104              │ ct/104/2021-03-21T23:18:54Z              │            7 │ catalog.pcat1 client.log index.json pct.conf root.pxar │
├─────────────────────┼──────────────────────────────────────────┼──────────────┼────────────────────────────────────────────────────────┤

I was expecting I needed to add the API token under permissions to make it work, NOT the user itself. When I add just the user and not the API Token, I get the same Error: permission check failed, so it seems I need to give BOTH the user AND the apitoken access.

When trying to add the datastore in PVE, I now found that using /datastore/data didn't work, but instead I had to use just the name data like so:

pvesm add pbs PBS --datastore data --server 192.168.0.18 --fingerprint <somfingerprint> --username myvmhost@pbs\!myvmhost --password

As this was all with "Admin" privileges, I continued my testing of the roles, and my conclusion is that I'd effectively need DataStoreAdmin privileges to be able to:

• make backups
• read all backups, even the existing ones made by other users

The same goes for the apitoken I use on a remote PBS to pull from the datastore. As backups are owned by root@pam, I need DataStoreAdmin to see them. DataStorePowerUser won't be able to see backups owned by others.

As I have the PBS API opened up to the internet so the remote PBS can pull from my local PBS, I'm a bit disappointed that in order for the remote PBS to be able to connect using an API key, I have to have a user with a simple password for UI login open to the world too. This is the reason for hoping I could disable the user, but still have the API key work.
I have now resorted to using TOTP on ALL users, even though I'll never login with the users that I created API tokens for.

Anyway, thank you for your reply, it got me on the right path even though I didn't fully understand what you wanted me to show. Let me know if there is any more detail I can supply to make things more clear.

 

[fabian]

yes, tokens can never do more than their owning users:
https://pbs.proxmox.com/docs/user-management.html#api-token-permissions

and if you want to access backups owner by another user/token, then you need more than just DatastoreBackup. for syncing purposes, the remote access can also just have DatastoreReader (which allows reading everything on a datastore including backup data, but not changing it)