Starting with VMware Cloud Director 10.3.1, you can generate and issue API access tokens. You are authenticated using your respective security best practices, including leveraging two-factor authorization, by using API access tokens, you can grant access for building automation against VMware Cloud Director.
Access tokens are artifacts that client applications use to make API requests on behalf of a user. Applications need access tokens for authentication. When an access token expires, to obtain access tokens, applications can use API tokens. API tokens do not expire.
When using access tokens, applications cannot perform certain tasks.
- Change the user password
- Perform user management tasks
- Create more tokens
- View or revoke other tokens
When accessing VMware Cloud Director by using an API access token, applications have only view rights for the following resources.
- User
- Group
- Roles
- Global roles
- Rights bundles
- Token: Manage
- Token: Manage All
Similar to generating a user API token, you can create a service account by using the VMware Cloud Director API. The API request for creating a service account uses the same API endpoint as creating a user API token, but the presence of the software_id
field indicates the intent to create a service account.
Prerequisites
- Verify that you have the Manage user's own API token right.
- Authenticating with an API token uses the "Refreshing an Access Token" standard as specified in the OAuth 2.0 RFC 6749 Section 6 to allow access to VMware Cloud Director as an OAuth application. The returned access token is the same as a VMware Cloud Director access token and client applications can use it to make subsequent API calls to VMware Cloud Director. To make an OAuth 2.0 RFC-compliant request, familiarize yourself with Request for Comments (RFC) 6749 Section 6 information about refreshing an access token.
Procedure
Example
POST https://host_name/oauth/tenant/tenant_name/token Accept: application/json Content-Type: application/x-www-form-urlencoded Content-Length: 71 grant_type=refresh_token&refresh_token=Generated_API_TokenResponse:
HTTP/1.1 200 OK Content-Type: application/json { "access_token":"Generated_Access_Token", "token_type":"Bearer", "expires_in":2592000, "refresh_token":null }Request using the generated access token:
GET https://host_name/api/org Accept: application/*+xml;version=36.1 Authorization: Bearer Generated_Access_TokenResponse:
HTTP/1.1 200 OK Content-Type: application/vnd.vmware.vcloud.orglist+xml;version=36.1 X-VMWARE-VCLOUD-REQUEST-EXECUTION-TIME: 41 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <OrgList xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" href="https://host_name/api/org/" type="application/vnd.vmware.vcloud.orgList+xml"> <Org href="https://host_name/api/org/UUID_of_the_organization" type="application/vnd.vmware.vcloud.org+xml" name="Organization_name"/> </OrgList>
What to do next
- To revoke any of your tokens, navigate to the User preferences page, and click the vertical ellipsis next to the token.
- As an organization administrator, if you want to see the tokens of all tenant users in your organization, and if necessary, to revoke them, you can request from your service provider to be granted the Manage all users' API tokens right. For more information of revoking tokens of other users, see Manage the Access Token of a User.