Cloudbolt Support will be closed on Thurs Nov 26 in observance of Thanksgiving

F5 Big IP - Account Setup / Least Permissions Set

Problem

To improve security and stability of an environment, an account with minimal privileges should be used to integrate vRealize Automation with other systems. 

Account Creation

Step 1

Login to F5 as an administrator then go to System > Users > Create…

Step 2

Give the service account an appropriate name and password. Select Manager Role for each Partition required. 

Step 3

Click Add to add each Partition to the service account. You can repeat the previous step to add more Partitions to the service account. 

Ensure “tmsh” is selected for Terminal Access.

Click Update/Finished to create the service account. 

Granting Rights to REST API

For BIGIP versions prior to 14.x, the user created needs to be explicitly granted the iControl_REST_API_User role.

  1. Log in to the Advanced Shell (bash) on the F5 appliance.
  2. Add the user to the iControl_REST_API_User role using the following command syntax:

    curl -sk -u <admin_username>:<admin_password> https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User -H "Content-Type: application/json" -X PATCH -d '{ "userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/<username>"}] }'

    In this command syntax, note the following:

    1. Replace <admin_username> and <admin_password> with the username and password of a BIG-IP user account with the administrator role

    2. Replace <username> with the username of the user to whom you want to grant iControl access

For example:

If you created a user named leastperm

curl -sk -u admin:admin https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User -H "Content-Type: application/json" -X PATCH -d '{ "userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/leastperm"}] }'



Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.