4 Responses

  1. Using PowerShell and REST-API to create a VM in vCenter | IT Should Just Work

    […] step is well documented by Chris Wahl. I’ve borrowed some of his code here, and accompanied it with a section to get around the lack of […]

  2. fdo
    fdo at |

    I found your posts while trying to make sense of the SDK’s that VMWare provides to take advantage of the REST interface. Things seemed to be a little confusing, especially since I’ve never really worked with VMWare before, until I realized that (at least) the Python SDK appears to leverage both the REST interface AND the previous non-REST(?) interface.

    Once realizing that, and doing some testing with Postman and Python, I believe I have a better handle on using the REST API with VCSA 6.5… Except for one thing…

    With either method, I can successfully login against “/rest/com/vmware/cis/session”. I get the session-id and I can then perform other calls, such as against “/rest/vcenter/datacenter” (status code 200).

    However, I am receiving a 403 Forbidden error (not a 401 error!) when accessing any of the appliance URLs, such as “/rest/appliance/system/uptime” or “/rest/appliance/health/system”. I am getting the same 403 error regardless of whether using Postman or Python.

    I have tried this with credentials for users with read-only access, as well as full Administrator creds.

    I’m sure its something simple that I’m missing… I’m just not sure what it is.

    Any thoughts?

    Thanks!

    Reply
    1. fdo
      fdo at |

      I’m not sure this is the proper / best practices solution, but it does appear to be an answer…

      The user connecting to the REST API needs to be a member of the SystemConfiguration.Administrators group.

      As part of my exploration of the REST API, I was only wanting my script user to have read-only permissions. If this is the proper solution though, it seems they require more than just read-only permissions to access the information that one can obtain from the REST API. :-/

      Reply
      1. fdo
        fdo at |

        Further use suggests that its just going to be easier if the account used to login is part of the Administrators group. I found that one cannot list vcenter folders if only part of the “SystemConfiguration.Administrators” group.

        So even though, at this time, I’m not looking to make modifications to the configuration of the system, just read / list / view details, it appears one is forced to use an account with higher permissions than explicitly needed for many of the calls that simple list or return values.

Share your point of view!