[SOLVED] unable to access API using PVEAPIToken

[udotirol]

I am trying to use the terraform<->proxmox plugin and for that purpose, I have created a dedicated terraform provisioning user like this:

pveum role add TerraformProv -privs "VM.Allocate VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.Audit VM.PowerMgmt Datastore.AllocateSpace Datastore.Audit"
pveum user add terraform-prov@pve --password <password>
pveum aclmod / -user terraform-prov@pve -role TerraformProv

After that, I created an API token using the web UI and use that to interact with proxmox.

Unfortunately this doesn't quite work, because proxmox does something strange - at least so I believe: I am unable to list existing VMs using the token, proxmox only returns an empty data array if I use the generated token:

$ curl --insecure -H 'Authorization: PVEAPIToken=terraform-prov@pve!foobar=some-uuid-fooo-baar' https://pve.example.com:8006/api2/json/cluster/resources?type=vm
{"data":[]}

Checking the pve logs, I see this:

::ffff:172.21.9.12 - terraform-prov@pve!foobar [21/06/2022:17:56:34 +0200] "GET /api2/json/cluster/resources?type=vm HTTP/1.1" 200 11

When I log into the web UI using the terraform-prov@pve user, the same URL https://pve.example.com:8006/api2/json/cluster/resources?type=vm delivers all existing VMs as expected.

Any ideas what I am missing?

 

[udotirol]

alright, figured it out myself. The "problem" is that I ticked "privilege separation" when I created the token. After unchecking privilege separation, everything works now as expected!