Cloud Director API Token – VMware Cloud Supplier Weblog
VMware Cloud Director 10.3.1 launched API Tokens. This permits a person to generate API tokens for programmatic entry to VCD. It really works for each, supplier, and tenant customers. An automation script or 3rd-party answer can then use the API token to make API requests to Cloud Director on behalf of the person.
These steps are used to create API tokens:
- The supplier propagates the suitable to make use of and handle API token to the tenant
- The Cloud Director person (supplier in addition to tenant person) creates an API token
- An API shopper (e.g. an automation script) makes use of the API token to make requests
- (If wanted) The person revokes the API token
Preparation
As for many new options, fine-grained entry management via rights bundles is feasible. To allow a tenant to make use of API token, the supplier should publish a rights bundle to the tenant. Privileges might be outlined for a person to handle the person’s personal tokens, and to handle all Group person’s token (for instance for an Group Administrator).
Create the API Token
As supplier or tenant person with correct privileges you need to use the “Consumer Preferences” menu to create the API token. Every token might be labeled with a reputation. Bear in mind that the precise token secret is solely seen as soon as within the creation wizard and can’t be retrieved afterwards.
Revoke the API Token
API tokens don’t expire, however current API tokens might be revoked. This additionally invalidates energetic API shopper periods that used the token to authenticate. All customers can revoke their very own tokens. Directors (these with ‘handle all person’s API tokens’ proper) can revoke different person’s tokens. Tenant directors can accomplish that inside their very own Group, whereas system directors can accomplish that for any person.
Use the API Token
Semantically the API token utilization follows the OAuth 2.0 specification (RFC 6749, part 6).
The API token can then be utilized by a 3rd-party answer or customized API shopper to entry the VCD API because the person, with out the necessity to authenticate with username and password credentials.
API Shopper Instance
Request the bearer token for subsequent calls utilizing the API token:
POST https://host_name/oauth/supplier/token
Settle for: utility/json
Content material-Kind: utility/x-www-form-urlencoded
Physique:
grant_type=refresh_token&refresh_token=Generated_API_Token
Safety notice: It’s really helpful to ship the API Token as a part of the request physique (and never as a part of the URL, even when that technically works for x-www-form-urlencoded sort requests), to keep away from it being logged in transit.
Response containing the Bearer token:
HTTP/1.1 200 OK
Content material-Kind: utility/json
Physique:
{
“access_token”:”Generated_Access_Token”,
“token_type”:”Bearer”,
“expires_in”:86400,
“refresh_token”:null
}
Subsequent API name now can use the returned Bearer token within the “access_token” area as typical. There is no such thing as a want for any modifications within the shopper code.
Subsequent Name utilizing the Bearer token:
GET https://host_name/api/org
Settle for: utility/*+xml;model=36.1
Authorization: Bearer Generated_Access_Token
Notes
The session expiration might be configured within the supplier portal underneath Basic > Timeouts.
The VCD Supplier for Terraform for instance helps API Token authentication as of model 3.5:
supplier “vcd” {
person = “none”
password = “none”
auth_type = “api_token”
api_token = Generated API token
sysorg = “System”
…
For safety causes, sure duties should not potential when authenticated via an API token:
- Change the person password
- Carry out person administration duties
- Create extra tokens
- View or revoke different tokens
When accessing VMware Cloud Director through the use of an API entry token, functions have solely view rights for the next sources.
- Consumer
- Group
- Roles
- International roles
- Rights bundles
The API Token function in VMware Cloud Director provides a safe means for automation options to entry its API, even in environments that implement Multi-factor Authentication for person logins.
Reference hyperlinks:
VCD Tenant Portal Documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Tenant-Portal-Information/GUID-A1B3B2FA-7B2C-4EE1-9D1B-188BE703EEDE.html
VCD Supplier Portal Documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Supplier-Admin-Portal-Information/GUID-A1B3B2FA-7B2C-4EE1-9D1B-188BE703EEDE.html
OAuth 2.0 Specification (RFC 6749): https://datatracker.ietf.org/doc/html/rfc6749#section-6
VCD Supplier for Terraform 3.5.1 Documentation: https://registry.terraform.io/suppliers/vmware/vcd/newest/docs