Skip to main content
AskingForHelp
AskingForHelp
New Member
November 1, 2022
Solved

API request of new token

  • November 1, 2022
  • 9 replies
  • 9151 views

So far I am able to retrieve a new API token via the GUI and by using the CLI methods. Would like however to retrieve a new API token via the POST method. Read the documentation from the link below and followed by using a POST /api/v2/monitor/system/api-user/generate-key?vdom=root and a body with

{'api-user':"api-admin"}

 

https://fndn.fortinet.net/index.php?/fortiapi/1-fortios/100/ 

 

This for only returns a 401 unauthorized. How then can proper authorization be included?

 

Appreciate it

 

Best answer by pminarik

Make the change in CLI. I don't know why, but the super_admin profile appears to be available for an API admin only in the CLI, not in the GUI.

You can make the configuration as usual in the GUI, and then switch the profile to super_admin in the CLI as the last step.

9 replies

pminarik
Staff
pminarik
Staff
November 1, 2022

The API documentation states you need sysgrp.admin permission (System>Administration Users in the GUI's terminology). Does your account have that?

Additionally, I imagine there might also be some additional restrictions such as not being able to generate an API key for a "super_admin" API account. (which could be interpreted as a sort of "privilege escalation" potentially)

AskingForHelp
AskingForHelpAuthor
New Member
November 1, 2022

Under System > Administrators > REST API Administrator, this user has super_admin_readonly permissions. Now I have tired admin_noaccess as well but that was a no go.

pminarik
Staff
pminarik
Staff
November 1, 2022

And what about the API user making this request?

I did a quick test with 7.0.8, and while the docs say that sysgrp.admin is required, I was only able to generate a new API-key when the requesting api-user was a super_admin. (not even prof_admin (everything read-write) was sufficient).

AskingForHelp
AskingForHelpAuthor
New Member
November 1, 2022

Correct the user making the request has been an apiuser. This is v7.2.2 on a FortiWifi 80F-2R. This is the below request. I have given all read/write permissions to the apiuser as well.

Screenshot from 2022-11-01 13-02-47.png

pminarik
Staff
pminarik
Staff
November 4, 2022

The syntax is good, but I will have to re-iterate my suspicion that the call will most likely only be accepted if the API-user making this request is a super_admin.

AskingForHelp
AskingForHelpAuthor
New Member
November 4, 2022

Edited this reply from before. No, the user does not have super_admin from setting the below screenshot settings. Instead super_admin can only be achieved using the CLI. Using this command:

config system api-user

edit apiadmin

set accprofile super_admin

AskingForHelp
AskingForHelpAuthor
New Member
November 11, 2022

Hello all

The apiuser has been granted full permissions, including the sysgrp.admin as requested. Still am not getting any success with the API call. Any additional thoughts?

Appreciate it

Screenshot from 2022-11-11 13-32-42.png

pminarik
Staff
pminarik
Staff
November 16, 2022

I'm sorry but I have to ask again: Have you set the apiuser's (the account that is making the request) access profile to super_admin? Please do note that a profile with full read-write is not equivalent to super_admin.

AskingForHelp
AskingForHelpAuthor
New Member
December 21, 2022

Hello,

An administrator Profile called super_admin does not appear under the drop down list when creating a REST API admin. For an Administrator, Local admin it does appear to have super_admin. Why then does super_admin appear missing for REST API admin?

    pminarik
    Staff
    pminarik
    Staff
    January 4, 2023

    Are you trying to make the modification while logged in as a super_admin? It may be hidden if not, since non-super_admin will not be able to promote any account to super_admin role.

     

    I have checked the behaviour with firmware 7.0.8 and 7.2.2, and I see super_admin available for API users in both, but only in the CLI.

    dma
    dma
    Visitor III
    December 26, 2022

    hello,
    I have the same problem +1

    pminarik
    Staff
    pminarik
    Staff
    January 4, 2023

    To summarize what I've written so far, it appears that you will need to make the API request with an account that is super_admin (use permissions of a super_admin account). If that's not what you're doing right now, try it.

    AskingForHelp
    AskingForHelpAuthor
    New Member
    January 4, 2023

    I do follow this thread. Where it falls apart for me is that the REST API Admin does not have super_admin privileges. These super_admin privileges are not offered in the drop down menu for me.

    pminarik
    Staff
    pminarikAnswer
    Staff
    January 5, 2023

    Make the change in CLI. I don't know why, but the super_admin profile appears to be available for an API admin only in the CLI, not in the GUI.

    You can make the configuration as usual in the GUI, and then switch the profile to super_admin in the CLI as the last step.

    AskingForHelp
    AskingForHelpAuthor
    New Member
    January 11, 2023

    The instruction to change apiadmin profile to super_admin over CLI only was important. This now does return a new bearer token when the proper Authorization is included as a bearer token. However, my goal would be to use the API to request a bearer token when none was yet known. If for example the system was booting up and no token was saved, could the API be used to request a new bearer token when no authorization token was given?

    Terms & ConditionsAccessibility statement