API Authentication into VCF Automation 9 Provider, Tenants, and Orchestrator: Creating service accounts and Tokens

So here we are: 9.0 (technically 9.0.2 at the time of this blog), the highly anticipated release of VCF. VMware has finally(?) consolidated all of its core technologies into a singular integrated platform. "One small step for Broadcom, one giant leap for VMware" - anonymous reddit user With the release of the 9.0 platform there have been many highly anticipated improvements and some changes that were not so anticipated. One change that I would like to discuss today is the changes to the VMware Orchestrator APIs because frankly, you may have to do some rewriting for your API calls. We are going to zero in on authentication in this blog, but we will get into running workflows in another blog. (I plan on releasing this blog as a series of blogs detailing how to replicate some of the Cisco VMM capabilities in VCF Automation) For this blog, its important to note that I will be using Bruno instead of Postman to make API calls. Bruno has 99% of the same capabilities as Postman so the two can be used essentially interchangeably.

The first thing to know when it comes to VCF Automation 9 is that there are two layers to the tool:

1) Provider Layer - This is the centralized platform which allows you to divide up isolated network and resource environments, which you can then provide to different IT departments or teams.

2) Organization Layer - These are the isolated network and resource environments that individual consumers can then access to request IT infrastructure through a service catalog.

We will have to authenticate in to both of these environments. Lets start by setting up authentication in the Provider: The goal here is to make a POST command that will authorize our device. The POST command is as follows: https://{{vra_server}}/oauth/provider/device_authorization?client_id=81*******

You'll notice that the post command is appended with a client ID, but where did we get that client ID? I'm glad you asked!

We have to generate the Client ID from the Provider Portal. Under Administration > Access Control > Service Accounts > click New Fill in the fields as follows:

• Name

• Privileges

• click the autogenerate button for a software ID (note: this is not the client ID yet)

• Optional: I just put 1.0

• Optional: I just put www.vmware.com

Click Next, review, and then click Finish

This will generate a service account complete with a Client ID as shown below. Use that Client ID in your POST Command:

Please note: You will need to uncheck the "Require Rotation" radio button

Back to the POST command. Run the following command using the Client ID: https://{{vra_server}}/oauth/provider/device_authorization?client_id=81*******

The output of the post command will looks as follows:

From here, I will go back in to the VCF Automation Provider portal under Access Control > Service Account. Press "Review Access Requests" and enter in the User Code generated in the above POST response (You will notice that the below User Code is different. This is because this user code is temporary and I did not take a proper screen shot at the time):

Verify that the field data is correct and press "Grant" Take a moment to congratulate yourself on granting Postman (or Bruno) access. Now we will need to get an Access Token for the Provider. In order to do so we will need to use the device_code from previous POST command output and the Client ID we previously used:

The POST command is as follow: https://{{vra_server}}/oauth/provider/token?client_id=81****&device_code=gPF2QfOhp9Im4CwxSJoILZ3hIZbQEC_jIBBLEKTJ72g&grant_type=urn:ietf:params:oauth:grant-type:device_code There are 3 parameter inputs:

• client_id

• device_code

• grant_type urn:ietf:params:oauth:grant-type:device_code
  

The response will be a json output similar to the following:

{

"access_token": "eyJ***m2sX7xg",

"token_type": "Bearer",

"expires_in": 3600,

"refresh_token": "dYI***XP8e"

} Congratulations! Your service account should now show "Active" and the refresh_token from the JSON can be used by your application to do API calls to VCFA.

This concludes Part 1 of this blog. In the next blog we will look at how to grant API access to your individual tenants in VCF Automation! Hope this helps!