A cloud user as a member of a Project through an LDAP group does not have access to resources when using API calls or Terraform
search cancel

A cloud user as a member of a Project through an LDAP group does not have access to resources when using API calls or Terraform

book

Article ID: 325844

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  1. A cloud user is part of an AD group, and the group is added to a project. However, the user is not able to access the resources of that project when using API calls / Terraform.
    • When performing the same actions from the UI, they work.
    • When the project is fetched by running the following command
      curl --location --request GET 'https://api.mgmt.cloud.vmware.com/project-service/api/projects/project_id
      --header 'Authorization: Bearer cloud_admin_access_token
      *--header 'Content-Type: application/json' *
      }'
      Note: project_id and cloud_admin_access_token should be updated with their respective values from your environment.
The group is presented in the format group_name@domain@domain, however when the user runs the following command
curl --location --request POST 'https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'api_token=refresh_token'
where refresh_token is the API token of the user that is experiencing the project scope access issue. When you take the id_token and paste it into a JSON Web Token validation tool, under group_names, the group appears as group_name@domain.
  1. A custom role is assigned to a group, however the Cloud Assembly Users that are part of the group do not get the custom role permissions when calling APIs (or using Terraform) with access token acquired from the API token.


Cause

In both cases, there is a mismatch between the group name in the project/custom role and the group name in the id token that is generated when authenticating with the API token. This is caused by a change in the Cloud Services Portal (CSP).

Resolution

This issue is resolved in VMware Aria Automation SaaS (formerly VMware vRealize Automation SaaS) March 2023.

Workaround:

Manually patch the Project with both group formats

Procedure

  1. Use the following instructions as guidance to generate a Cloud Admin Access Token vRealize Automation Cloud Assembly's IaaS API - VMware Cloud Management.
Note: Use this blog for token generation guidance only. The Projects API is used in this article.
  1. Add the group with both 1 and 2 suffixes as members of the project
    curl -L -X PATCH 'https://api.mgmt.cloud.vmware.com/project-service/api/projects/<PROJECT_ID>/principals' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer TOKEN' \
    --data-raw '{
        "modify": [
            {
                "email": "group_name@domain@domain",
                "type": "group",
                "role": desired_role
            },
            {
                "email": "group_name@domain",
                "type": "group",
                "role": desired_role
            }
        ],
        "remove": []
    }'
  2. If using Custom roles, add these groups with both suffixes to all custom roles using the below command where TOKEN, ROLE_ID, and group_name@domain updated for your environment.
    curl -L -X PUT 'https://api.mgmt.cloud.vmware.com/rbac-service/api/role-assignments' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer TOKEN' \
    --data-raw '{
        "rolesToAdd": [
            "ROLE_ID"
        ],
        "principalId":group_name@domain,
        "principalType": "group"
    }' 


Additional Information

Impact/Risks:
Users are unable to leverage project-based access when they are added to a project as a member of a LDAP group.