You can automate the access of third-party applications to VMware Cloud Director by using service accounts.
Sharing
Starting with VMware Cloud Director 10.4.1, if you want to limit the service account information that users can see, you can grant to certain roles only the Limited Service Accounts View right. When a user with the Limited Service Accounts View right makes a GET request on the service account, in the response, the softwareId
, softwareVersion
, uri
, and status
of the service account appear as null
.
Implementation
To provide automated access to VMware Cloud Director, service accounts use API tokens . Service accounts are intended for API-based access only. Once you grant access to a service account, the authenticated client application receives their API Token, which is an OAuth refresh token, and an access token, representing its first VMware Cloud Director session, for immediate use. Applications need the API tokens for authenticating with VMware Cloud Director. Access tokens are VMware Cloud Director session tokens (JWT tokens), that applications use to make API requests using the service account. The service accounts for applications use API tokens and thus, have the same restrictions as user API tokens in VMware Cloud Director.
Service accounts are granted access using the "Request Service Account Authorization". This guarantees that only the application that must use the token has sole access to the token and can use it. No other actor can access the token. You, as an administrator, manage the access to the service account. However, even administrators do not have access to the actual token that grants access. VMware Cloud Director gives the token only to the service account. To accomplish this, VMware Cloud Director relies on a well-known standard. To ensure that you and the application to which you are granting the token are in sync through the grant and token transmission, you can only initiate the API token grant process by knowing the user code for the application.
Unlike user API tokens, API tokens granted to service accounts rotate on every use, as per RFC 6749 section 6. Unused service account API tokens never expire unless you revoke them.
Service accounts can have only one role. In OAuth-compliant APIs, the role is communicated through the scope field as a URL-encoded Uniform Resource Name (URN) with the name of the role. The URN format is urn:vcloud:role:[roleName]
. See RFC 8141 that describes URN encoding.
Status | Description |
---|---|
Created | The account is in the initial state after creation. |
Requested | There are one or more outstanding requests for access that a requester initiated using a device authorization request. |
Granted | An administrator granted an outstanding request and is awaiting the service account polling and fetching of the API token. |
Active | The service account fetched the API token and can access VMware Cloud Director using the token. |
Limitations
Because the use of service accounts is aimed at third-party applications, service accounts have some limitations.
- Perform user management tasks
- Create API tokens
- Manage other service accounts
- User
- Group
- Roles
- Global roles
- Rights bundles
- Token: Manage
- Token: Manage All
Multisite
Starting with VMware Cloud Director 10.4.1, service accounts can manage and monitor multiple, geographically distributed VMware Cloud Director installations or server groups and their organizations as single entities by using the multisite feature. For more information, see Configuring and Managing Multisite Deployments. If a service account is making a request to a different organization from the one that it is authenticated to, verify that the service account exists on the associated organization and that it has the same name and software ID. You must also include a X-VMWARE-VCLOUD-AUTH-CONTEXT header that specifies the name of the organization that must fulfill your request. See the information for configuring and managing multisite deployments in the VMware Cloud Director API Programming Guide.
Create a Service Account Using Your VMware Cloud Director Service Provider Admin Portal
You can create an account for automated access to VMware Cloud Director by using the Service Provider Admin Portal.
Procedure
Results
Created
.
Example
You can create a service account also by using the VMware Cloud Director API. The API request uses the same API endpoint as creating a user API token, but the presence of the software_id
field indicates the intent to create a service account.
POST /oauth/provider/register Accept:application/json Content-Type:application/json Authorization:Bearer eyJhbGciOiJSUzI...7g7rA Body: { "client_name": "exampleServiceAccount", "software_id": "bc2528fd-35c4-44e5-a55d-62e5c4bd9c99", "scope": "urn:vcloud:role:System%20Administrator", "client_uri": "https://www.companyname.com", "software_version": "1.0" }
{ "client_name": "exampleServiceAccount", "client_id": "734e3845-1573-4f07-9b6c-b493c9042187", "grant_types": [ "urn:ietf:params:oauth:grant-type:device_code" ], "token_endpoint_auth_method": "none", "client_uri": "https://www.company_name.com", "software_id": "bc2528fd-35c4-44e5-a55d-62e5c4bd9c99", "software_version": "1.0", "scope": "urn:vcloud:role:System%20Administrator" }
What to do next
Grant Access to a Service Account Using Your VMware Cloud Director Service Provider Admin Portal
After you create a service account and the application requests authorization to receive an access token, you can grant the token by using the VMware Cloud Director Service Provider Admin Portal.
Created
, and you must start the procedure again.
Prerequisites
- Copy the client ID from the service account details in the Service Provider Admin Portal.
- Verify that the application requesting the account makes an OAuth 2.0 Device Authorization Grant RFC-compliant request to the https://site.cloud.example.com/oauth/provider/device_authorization API endpoint. For more information on device authorization requests, see RFC 8628 section 3.1.
Key Value client_ID
Generated_Client_ID
Once the application requests access, the service account status in the Service Provider Admin Portal changes to
Requested
. The application receives the device code, user code, and some additional information.Sample request:POST /oauth/provider/device_authorization Accept:application/json Content-Type: application/x-www-form-urlencoded Body: client_id=734e3845-1573-4f07-9b6c-b493c9042187
Sample response:{ "device_code": "tkhZ0uoUMy5xgjJqRJblIq3-g44xy2Ms6TEpv3Z_fKw", "user_code": "3VL8-SQVJ", "verification_uri": "https://[VCD]/provider/administration/access-control/service-accounts", "expires_in": 3600, "interval": 60 }
The device must poll at the frequency specified in the above response (in seconds)
/oauth/provider/token
as per the RFC. The device must use the device code until it receives the tokens from VMware Cloud Director, or the request times out.Sample request:POST: /oauth/provider/token Accept:application/json Content-Type: application/x-www-form-urlencoded Body: client_id= 734e3845-1573-4f07-9b6c-b493c9042187&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code&device_code=tkhZ0uoUMy5xgjJqRJblIq3-g44xy2Ms6TEpv3Z_fKw
Sample response before granting:{ "error": "authorization_pending", "error_description": "Device authorization request pending", "error_uri": null, "minorErrorCode": "authorization_pending", "message": "Device authorization request pending", "stackTrace": null }
Sample response after granting:{ "access_token": "eyJhbGciOiJSU…HqJaDud1sVA", "token_type": "Bearer", "expires_in": 2592000, "refresh_token": "SsybukUed8SBP2p1AaFiGJhrntQNWZVX" }
If you do not confirm or deny an access request, the user code times out. The timeout period appears in the response of the device authorization request.
VMware Cloud Director grants a primary API token to the application only if the application and the administrator use the device code and user code corresponding to each other.
- Get the user code from the application. You must enter the code in step 4.
Procedure
Results
The service request status changes to Granted
. VMware Cloud Director grants the application linked to the service account its primary API token in the form of an API token. Included in the response, as required by the RFC, is an OAuth access token representing a user session for immediate use by the service account. If the application does not use the OAuth access token immediately, the session times out as per the configured idle session timeout. The service account might also explicitly log out, which is recommended not only for security reasons, but also provides a good test run for the service account to make an API call to VMware Cloud Director. Once the application fetches the API token, the status changes to Active
.
What to do next
- To change the assigned service account role, software ID, software version, client URI, or quota restrictions, select a service account and click Edit a Service Account. The changes take effect at the next token refresh.
- To revoke service account access so that the granted API token granted becomes invalid, click Revoke. VMware Cloud Director terminates all active sessions. Revoking an API token does not delete the service account, however, the status of the account changes to
Created
. If the application has already requested access again, the status of the service account changes toRequested
. You must once again follow the procedure to grant access to the service account for the account to becomeActive
.