Proxmox API Authentication to create VM

[silenzer]

Hello everyone! I'm currently developing a web application using Python requests to create VMs on Proxmox. In the POST request, I include the necessary parameters such as vmid and node, along with some optional parameters. However, I'm encountering a 401 status code when running the code, indicating an authentication issue.

To address this problem, I've attempted to include the username and password in the request data, and the CSRF token and ticket in the request headers. Despite my efforts, I haven't been successful in resolving the issue. I'm wondering if anyone has specific knowledge about the authentication parameters required for this task. Any assistance would be greatly appreciated. Thank you for your support!

 

[Chris]

Hi,
authentication via tickets is ephemeral, they are valid only a short period of time. Use api tokens for your use case, see https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_tokens

 

[silenzer]

How can I generate a API Token? I only got a ticket and the CSRF Token.

I make a POST Request to https://xyz.com:8006/api2/json/nodes/test/qemu with the Parameter data (Configs for VM), cookies (Ticket) and headers (CSRF)

 

[Chris]

You can create an API Token via the WebUI by navigating to Datacenter > Permissions > API Tokens > Add. Make sure to setup the user the token will be associated with beforehand (if you don't want to use root@pam).

 

[silenzer]

Thank you I created one. How must the POST Request look like? I followed this POST Request:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/qemu
And Created this:

How do I need to add the API Token?

 

[Chris]

you will have to add an Authorization header with the format PVEAPIToken=USER@REALM!TOKENID=UUID instead of the PVEAuthCookie and CSRFPreventionToken. Also your Content-Type should be application/json.

 

[silenzer]

Ah okay thank you. So it should look something like this?

(The PVEAPIToken is fake)

 

[Chris]

Ah okay thank you. So it should look something like this?
View attachment 51833
(The PVEAPIToken is fake)

No, the header key is Authorization, the value is PVEAPIToken=USER@REALM!TOKENID=UUID, so like this

'Authorization': 'PVEAPIToken=USER@REALM!TOKENID=UUID'

 

[silenzer]

I am really sorry to bother you but did you mean it like this:

(Is this the correct format for Authorization)

 

[Chris]

I am really sorry to bother you but did you mean it like this:
View attachment 51834
(Is this the correct format for Authorization)

No, as shown in the example above, your value must include the PVEAPIToken= prefix.

A minimal curl example for listing all nodes might look something like this:

curl -k -H 'Content-Type: application/json' -H 'Authorization: PVEAPIToken=root@pam!testtoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx' https://localhost:8006/api2/json/nodes

 

[silenzer]

I am really thankful for your help.

I changed it as I understood it, although it still doesn't work.

 

[Chris]

Make sure the token id and token value are correct. What response do you get? Does the user/token has the required ACL permissions to perform the desired API requests?

Edit: Also, try with a basic curl example, only when you are sure the token works and can perform the actions implement it in the programming language of your choice.

 

[silenzer]

I have only received one API Token, which follows this format: api@pve!FZ917gBxpdpdji. I'm wondering if there should be a different format for the token or if there is another token like a secret token. Unfortunately, I'm still encountering the 401 Error Code.

I attempted to use the curl command, but it doesn't seem to be working. This suggests that the token might be something else, but I'm uncertain about what it should be. When I execute the curl command for the domain, I receive the source code for the website. However, when I include the path components like /api2/json/nodes, I encounter the following error:

curl: (3) URL using bad/illegal format or missing URL

 

[Chris]

The token header must definitely look something like this, otherwise you copied the wrong secret value

Authorization: PVEAPIToken=testuser@pve!testtoken=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxx

 

[silenzer]

I found it thank you very much.

Now the 401 Error is replaced by the 501 error. Do you know what the cause could be?

 

[Chris]

501 might indicate that you use the wrong method type for your request, e.g. POST instead of GET...

 

[silenzer]

The POST Request method should be right as shown in the image in our history.

 

[silenzer]

I tried with curl and GET Requet and it worked with 200 but when I try the POST Request I get the 501 error Code.
I found this question:
https://github.com/swayf/proxmoxer/issues/23 where the problem was with the path/url from the request but in my case its exactly like the Proxmox API Documentation:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/qemu.

response_post = requests.post("https://test.com:8006/api2/json/nodes/test/qemu", data=data_creation, headers=vm_create_headers, verify=False)

 

[Chris]

I tried with curl and GET Requet and it worked with 200 but when I try the POST Request I get the 501 error Code.
I found this question:
https://github.com/swayf/proxmoxer/issues/23 where the problem was with the path/url from the request but in my case its exactly like the Proxmox API Documentation:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/qemu.

response_post = requests.post("https://test.com:8006/api2/json/nodes/test/qemu", data=data_creation, headers=vm_create_headers, verify=False)

Did you test the POST call also via curl or via your code? Maybe your parameters are not okay? Although I would not expect a 501 error code in that case. Also, make sure your payload is valid JSON

 

[silenzer]

Did you test the POST call also via curl or via your code? Maybe your parameters are not okay? Although I would not expect a 501 error code in that case. Also, make sure your payload is valid JSON

I tried with curl and via code.

The parameters for the request are data=payload and headers=header and verify=False in the payload I only chose parameters from the documentation.



When I do a GET instead of a POST Request I get an empty json fot his path:

api2/json/nodes/xyz/qemu

but if I add the vmid I get data:

api2/json/nodes/xyz/qemu/103/status/current