VCF SSO API tokens can be generated by an SSO user or under an API client. These tokens carry a lifespan ranging between 30 and 180 days.
These two token types serve entirely different functions within a VCF Fleet:
- SSO User Tokens: Tied directly to personal human accounts and restricted to manually triggered, on-demand activities. Because these tokens are not used for automated system integrations, their expiration has no impact on background infrastructure operations. SSO users can simply log into the VCF user interface and manually generating a new one.
- API Client Tokens: Highly recommended and utilized exclusively for system-to-system integrations (such as automation pipelines, backups, or monitoring setups). To maintain continuous, uninterrupted system integrations and prevent production connection failures, VCF SSO provides a dedicated token regeneration API to programmatically cycle these secrets.
The following steps outline how to automate the lifecycle rotation of an API client token created under a VIDB API client named IamClient using flt-ops01.rainpole.io as the VCF Operations API endpoint.
Step 0: Get the SSO Realm ID
Make a VCF Operations IAM API call to locate the target SSO realm ID based on its Identity Broker (VIDB) name.
API Request:
curl --request GET \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json'
Response Payload (Truncated):
{ "ssoRealms": [ ... { "id": "d86a0d9d-f267-45fd-b966-ed8b30e59452", "name": "flt-idb02", "vidbResourceId": "60b347fc-cb9b-452a-bfdc-5e483ab813d8", "vcfInstanceId": "a79554c3-4c83-46c1-975a-92f94bbcd56d", "issues": [], "ssoRealmCoverage": [ { "id": "a79554c3-4c83-46c1-975a-92f94bbcd56d", "name": "sfo-vcf02", "ssoEntityType": "VCF_INSTANCE" }, { "id": "0cdb4cb5-17c0-41c1-962f-f027e599b392", "name": "Operations Appliance", "ssoEntityType": "MANAGEMENT_COMPONENT" }, { "id": "9a1dbfbb-92ba-41ee-98f3-cb2b14f2375f", "name": "Automation Appliance", "ssoEntityType": "MANAGEMENT_COMPONENT" } ], "totalConfiguredComponents": 4, "idpId": "d5709a7f-8c6b-45e5-8189-4da573f98798", "createdAt": 1778735571488, "updatedAt": 1778735571488 } ]}
Extract the target realm ID ("id": "d86a0d9d-f267-45fd-b966-ed8b30e59452") for the subsequent steps.
Step 1: Create API Client
Before generating API tokens, create an API client first under our SSO realm.
API Request to create an API client (clientId: IamClient)
curl --request POST \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/api-clients \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json' \ --data '{ "clientId": "{{apiClientId}}", "clientName": "Iam Client", "clientDescription": "API client for IAM functional testing"}'
Response Payload:
{ "clientId": "IamClient", "clientUuid": "37a5c224-02ad-45c6-895d-1592d9b14068", "clientName": "Iam Client", "clientDescription": "API client for IAM functional testing"}
The clientUuid in the response is actually the principal Id for the newly created API client. Extract this value (37a5c224-02ad-45c6-895d-1592d9b14068) for role assignment.
Step 2: Assign Role to API Client
Before the API client and its API token can be used, we need to assign a role to it.
API request:
curl --request PUT \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/principals/37a5c224-02ad-45c6-895d-1592d9b14068/roles \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json' \ --data '{ "vcfRoleAssignments": [ { "roleName": "vcf_viewer", "roleScope": { "scopeType": "SSO_REALM" }, "expiresAt": null }, { "roleName": "sddc_admin", "roleScope": { "scopeType": "VCF_INSTANCE", "resources": [ { "id": "{{vcfInstanceId}}" } ] }, "expiresAt": null } ]}'
Here we assign the API client two permissions:
(1) the vcf-viewer role is scoped to the whole SSO realm;
(2) the sddc_admin role is scoped to a specific VCF instance within the SSO realm.
We can verify the role assignment by use of the following API
curl --request GET \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/principals/37a5c224-02ad-45c6-895d-1592d9b14068/roles \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json'
Step 3: Generate an Initial API Client Token
Create a new token (“tokenName”: “apitoken-test1000”) associated with your designated VIDB API client, IamClient.
curl --request POST \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/api-tokens \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json' \ --data '{ "apiClientId": "IamClient", "tokenName": "{{tokenName}}", "tokenDescription": "API Token for testing", "tokenType": "API_CLIENT", "apiTokenTtl": "40320", "accessTokenTtl": "30"}'
Response Payload:
{ "id": "27a20393-2bd8-4c21-a1d2-e4c98e6f8cbf", "apiClientId": "IamClient", "tokenName": "apitoken-test1000", "apiTokenTtl": 40320, "accessTokenTtl": 30, "tokenType": "API_CLIENT", "token": "vidb_MjdhMjAzOTMtMmJkOC00YzIxLWExZDItZTRjOThlNmY4Y2JmI3lSbGhjb...", "tokenLastChars": "DQxMQ", "creationDate": 1779354411000, "expirationDate": 1781773611000, "lastUsedDate": 1779354411000, "tokenStatus": "ACTIVE", "tokenEndpointUrl": "https://flt-idb02.rainpole.io:443/acs/t/CUSTOMER/token", "oidcIssuerUrl": "https://flt-idb02.rainpole.io:443/acs/t/CUSTOMER"}
Step 4: Query and Retrieve the Target Token ID for Regeneration
To get the API token ID for regeneration, the following VCF Operations IAM API call be used.
API Request:
curl --request POST \ --url 'https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/api-tokens/query?page=0&pageSize=50&sortOrder=ASCENDING' \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json' \ --data '{ "searchTerms": { "allOf": [ { "field": "CLIENT_ID", "terms": ["{{clientId}}"], "operator": "LIKE" } ], "anyOf": [] }, "filters": { "tokenType": ["API_CLIENT"] }}'
Response Payload (Truncated):
{ "pageInfo": { "totalCount": 1, "page": 0, "pageSize": 50, "sortOrder": "ASCENDING" }, ... "apiTokens": [ { "id": "27a20393-2bd8-4c21-a1d2-e4c98e6f8cbf", "apiClientId": "IamClient", "tokenName": "apitoken-test1000", "tokenDescription": "API Token for testing", "apiTokenTtl": 40320, "accessTokenTtl": 30, "tokenType": "API_CLIENT", "tokenLastChars": "DQxMQ", "principalName": "IamClient", "creationDate": 1779354411000, "expirationDate": 1781773611000, "lastUsedDate": 1779354411000, "tokenStatus": "ACTIVE" } ]}
We can check if the token is close to expiring by evaluating expirationDate unix timestamp returned in the response. Extract the explicit token ID ("id": "27a20393-2bd8-4c21-a1d2-e4c98e6f8cbf") to execute the token regeneration.
Step 5: Regenerate the API Token
Make a VCF Operations IAM API call targeting the specific token ID to rotate the token under the IamClient before expiration occurs.
API Request:
curl --request POST \ --url https://flt-ops01.rainpole.io/suite-api/api/fleet-management/iam/ssorealms/d86a0d9d-f267-45fd-b966-ed8b30e59452/api-tokens/27a20393-2bd8-4c21-a1d2-e4c98e6f8cbf/regenerate \ --header 'authorization: Bearer {{apiAccessToken}}' \ --header 'content-type: application/json'
Response Payload:
{ "id": "b3a308e3-aef9-4a53-b951-3c9d628204d9", "apiClientId": "IamClient", "tokenName": "apitoken-test1000", "tokenDescription": "API Token for testing", "apiTokenTtl": 40320, "accessTokenTtl": 30, "tokenType": "API_CLIENT", "token": "vidb_YjNhMzA4ZTMtYWVmOS00YTUzLWI5NTEtM2M5ZDYyODIwNGQ...", "tokenLastChars": "zIwNg", "creationDate": 1779357206000, "expirationDate": 1781776406000, "lastUsedDate": 1779357206000, "tokenStatus": "ACTIVE", "tokenEndpointUrl": "https://flt-idb02.rainpole.io:443/acs/t/CUSTOMER/token", "oidcIssuerUrl": "https://flt-idb02.rainpole.io:443/acs/t/CUSTOMER"}
Summary
By leveraging this programmatic token regeneration flow, organizations can achieve password-less, continuous system integrations across VCF components such as vCenter and NSX Manager.
Happy Automating.
davidwzhang.com 