VCF9.1 API Access: Basic

On By David ZhangIn Cloud Foundation, Security

Unlocking the power of automation in VMware Cloud Foundation (VCF) 9.1 requires a solid understanding of how to manage programmatic access. By transitioning from manual administration to an API-first approach, you can ensure consistency, scalability, and security across your entire VCF fleet.

This blog breaks down how to configure identity types and obtain the necessary tokens to interact with the VCF 9.1 API.

1. Understanding Identity Types: SSO vs. System Users

VCF 9.1 categorizes programmatic access into two distinct identity types. Choosing the right one is critical for maintaining long-term automation stability.

Identity TypeUser CategoryUse CaseLifecycle Implication
SSO UserHumans / AdminsManually triggered or on-demand API tasks.Tokens fail if the individual’s personal account is disabled or deleted.
API ClientSystems / ServicesAutomation, monitoring, or CI/CD integrations.Tokens remain active even if the admin who created them leaves, ensuring integration reliability.

2. Obtaining an API Token as an SSO User

For administrative tasks that require manual API calls, human users can generate personal tokens through the VCF interface.

  • Process: SSO users log into the VCF Components UI (such as VCF Automation, vCenter, or NSX) or VCF Operations to generate an API token.
  • Token Exchange: This initial API token is exchanged with the Identity Broker for a short-lived bearer access token used for fleet-wide operations.
  • Crucial Limitation: API tokens only inherit permissions assigned at the VCF Fleet level. For example, if you are a “vCenter Admin” but only a “VCF Viewer” at the fleet level, your API token will only grant Viewer permissions.

3. Obtaining an API Token for System Access (API Clients)

To support robust, “headless” automation, you should manage API clients as first-class operational objects.

Step 1: Create the API Client

In VCF Operations, an administrator creates an API Client. It is recommended to create separate clients for distinct functions, such as one for “Backup” and another for “Monitoring,” to follow the Principle of Least Privilege.

Step 2: Generate the API Token

Once the client is defined, you can generate one or multiple API tokens associated with that specific client.

The generated token can then be used by your external automation system. This token is sent to the Identity Broker, which validates the client and issues the bearer access token required for API calls.

4. How to exchange API Token for Bearer Access Token

curl --request POST \
  --url https://{{idb-fqdn}}//acs/t/CUSTOMER/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=urn:custom:vcf:params:oauth:grant-type:api-token \
  --data api_token=vidb_xxxxxxxxxxxxxxxxxx

Leave a comment