NSX-T data source displays "Invalid Credentials" in VCF Operations for Networks when using Network Admin role
search cancel

NSX-T data source displays "Invalid Credentials" in VCF Operations for Networks when using Network Admin role

book

Article ID: 441524

calendar_today

Updated On:

Products

VCF Operations for Networks VMware NSX

Issue/Introduction

  • When adding or validating an NSX-T Manager as a data source in VMware Aria Operations for Networks, the error "Invalid Credentials" is displayed.

  • The credentials (username/password) are confirmed to be correct.

  • The issue occurs when using an LDAP or local user assigned the built-in network_admin or security_admin roles in NSX-T.

  • Assigning the enterprise_admin role to the same user resolves the error immediately.

Environment

VCF Operations for Networks

VMware NSX

 

Cause

  • This is a known behavior where the VCF Operations for Networks integration requires access to specific NSX-T API endpoints that are not included in the standard network_admin or security_admin RBAC permissions.

  • When the application attempts to poll endpoints such as /api/v1/cluster/api-virtual-ip or /api/v1/administration/audit-logs, NSX-T returns a "Forbidden" response. VCF Operations for Networks interprets this permission failure as a credential failure

Resolution

  • To resolve this while following the principle of least privilege, you must ensure the service account has sufficient read permissions for administrative and cluster metadata.

Option 1: Assign Additional Built-in Role (Recommended)

  • Assign the Auditor role to the user in NSX-T in addition to their existing network_admin or security_admin role
    .
  • The Auditor role provides the necessary read-only permissions for the cluster and audit endpoints required for validation.

Option 2: Create a Custom Role

If you prefer to create a custom role, ensure the following permissions are included:

  1. Administration > Audit Logs: Read or Full Access.

  2. System > Appliance Cluster: Read access (required to identify the Cluster VIP).

  3. Information Experience > IPFIX: Required if IPFIX collection is enabled on the data source.

Verification:

  1. Log in to VCF Operations for Networks.

  2. Navigate to Settings > Accounts and Data Sources.

  3. Locate the NSX-T Manager and click Edit (pencil icon).

  4. Re-enter the credentials and click Validate. The status should now show as "Enabled."
Powered by Wolken Software