Per User Session host workflows do not work when invoked from Aria Automation Service Broker, or the token for the internal user expires
search cancel

Per User Session host workflows do not work when invoked from Aria Automation Service Broker, or the token for the internal user expires

book

Article ID: 326119

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:

  • You are using the VMware vRealize Orchestrator Plug-in for vRealize Automation.
  • You are running a vRealize Orchestrator (vRO) workflow such as Get Operation to perform a REST call to a vRA:Host object.
  • You receive no content returned when called from the Service Broker catalog.
  • You receive content when the workflow is run directly from vRO.
  • You have not created any new host entries or modified the default host.
Empty Content, Example:
INFOContent as string: {"content":[],"pageable":{"offset":0,"sort":{"sorted":true,"unsorted":false,"empty":false},"queryInfo":{"orderBy":[{"expression":{"propertyName":"createdAt"},"direction":"DESCENDING"}],"customOptions":{},"expand":[],"select":[],"rawOrderBy":"createdAt desc","properties":["createdAt"],"sort":{"sorted":true,"unsorted":false,"empty":false}},"pageNumber":0,"pageSize":20,"paged":true,"unpaged":false},"totalElements":0,"totalPages":0,"last":true,"sort":{"sorted":true,"unsorted":false,"empty":false},"size":20,"number":0,"numberOfElements":0,"first":true,"empty":true}
  • Alternatively, this can be seen when the vro-gateway-______ user runs workflows triggered by subscription.
  • The issue may arise after a delay, having been working up until then.

    vro-gateway-* User's Token Expired, Example:
    • "CLIENT_ERROR","status":"404 NOT_FOUND","error":"Not Found","serverMessage":"404 NOT_FOUND \"New access and refresh tokens cannot be obtained with the provided subject_token.\"
      Unable to convert token with id <hex-id>
    • org.springframework.security.oauth2.jwt.BadJwtException: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

Environment

VMware Aria Automation 8.x
VMware Aria Orchestrator 8.x
VMware vRealize Automation 8.x
VMware vRealize Orchestrator 8.x

Cause

The default vRA host authentication configuration for sessionMode is Per User Session.  This leverages the permissions of the account that calls the workflow for authorization in the REST call. 

When a vRO workflow is called from Service Broker, they are under the context of the vro-gateway-* user, instead of the requesting users account.  This REST call does not have the necessary permissions to collect all information from vRA.

Resolution

VMware is aware of this feature / configuration limitation and is considering a change for inclusion in a later release.

Workaround:
  1. Run the Add vRA Host workflow to create a new and separate connection to the desired vRA host
  2. Set the connection value for Shared Session.
  3. Provide the credentials for the account that has the permissions required to view the desired content from vRA.
  4. Use this new vRA:Host object that was added to inventory in your workflows that will be called from the Service Broker catalog.


Additional Information

Powered by Wolken Software