PDM — enrolling an existing PVE cluster: API token vs root@pam, what's the right approach?

[bridman19]

Hello,

I just deployed Proxmox Datacenter Manager (latest alpha/beta — running it as a
VM on a dedicated node) and I'm enrolling my existing PVE 8.x clusters into it.

In the "Add Remote" workflow PDM asks for credentials to connect to the cluster.
I see I can either:

- Use root@pam with a password,
- Or pre-create an API token with specific privileges and paste it.

Documentation is still a bit thin on the recommended approach. What are people
doing in real deployments? I'd prefer not to scatter root@pam credentials around,
but I want to make sure the token has enough privileges for PDM to actually do
its job (incl. cross-cluster migration down the road).

 

[j.theisen]

Hi @bridman19

thanks for posting in the forum!

You are completely right, the docs on this are a bit thin.

As the form for adding a new node tries to imply, the method "Login and create Token" just uses the credentials for logging into the remote server and creating an API token.
The credentials are not saved after that.
"Use existing Token" of course stores the provided credentials.

Be aware, the automatically created token inherits the users permission used for logging in.

Yours sincerely
Jonas

 

[g.fiore]

Did a bit of testing on a lab cluster before doing this on prod. Sharing the
recipe I landed on.

TL;DR: use an API token with a dedicated user, not root@pam. Even if PDM is
"trusted infra", spreading root credentials is a habit you don't want.

Steps on each PVE cluster I want to enroll:

1) Create a dedicated PVE user:

pveum user add pdm@pve --comment "Proxmox Datacenter Manager"

2) Assign Administrator role at "/" path (PDM needs broad read + the ability to
trigger migration, backup, etc.). If you want to be tighter, you can scope
per-pool, but you'll lose functionality.

pveum acl modify / --users pdm@pve --roles Administrator

3) Create an API token for that user, WITHOUT privilege separation (otherwise
the token gets no perms by default and you have to ACL it separately):

pveum user token add pdm@pve pdm-token --privsep 0

Copy the token value — you only see it once.

4) In PDM "Add Remote", paste:
- Hostname / IP of any cluster node
- User: pdm@pve
- Token ID: pdm-token
- Token value: <the secret>

5) Accept the fingerprint, save.

Notes from doing this on a couple of clusters:

- If you have an external CA on your PVE nodes, PDM picks up the chain fine. If
you're on self-signed pve-ssl, the fingerprint pinning is what guarantees you.
- Don't forget to also add the token to your password manager / vault. Rotating
later is a one-liner ("pveum user token remove" + recreate), but only if you
know which one you're rotating.
- root@pam works too, and it's tempting for a quick test. Just remember to
remove it afterwards.

Hope this saves someone the 20 minutes of poking I did.