Invoking the Operations for Applications REST API, using curl or an API client, requires a VMware Cloud services access token. In a few cases, when setting up a limited list of integrations, authentication with an Operations for Applications API token is also supported.
To obtain a VMware Cloud services access token, you must make an API call to the VMware Cloud services REST API and exchange it from:
- A VMware Cloud services API token associated with your user account.
- The credentials of a server to server OAuth app associated with the VMware Cloud organization running the service.
To obtain an Operations for Applications API token, you can also create a service account and generate an API token associated with it.
Manage the VMware Cloud Services API Tokens for Your User Account
If you want to make REST API calls on your own behalf, you must generate a VMware Cloud services API token associated with your user account and exchange it for an access token. See Make API Calls by Using a User Account.
You can generate VMware Cloud services API tokens only for your user account. You must assign each API token with the minimum required subset of the roles that you own. The access tokens associated with an API token inherit its roles. These roles include:
- At least one organization role.
- At least one Operations for Applications service role.
- Optionally, one or more custom roles.
You must also set each API token with a time to live (TTL), which is the time that the API token will be valid unless revoked earlier. Before an API token expires, you must generate a new API token and update your scripts and API calls.
For details on how to generate, regenerate, revoke, and secure your API tokens, see How do I generate API tokens in the VMware Cloud services documentation.
Manage the VMware Cloud Services API Tokens in Your VMware Cloud Organization
If your domain is federated and the Identity Governance and Administration (IGA) is activated, the users with the VMware Cloud Organization Owner role have access to advanced features, including managing the API tokens within the VMware Cloud organization. For details, see What is Identity Governance and Administration and how does it work with VMware Cloud Services in the VMware Cloud services documentation.
The users with the VMware Cloud Organization Owner role can:
- View the details of all API tokens created in the organization.
- Deactivate API tokens.
- Set constraints for idle and maximum TTL for all newly created API tokens.
For details and instructions, see How do I manage API tokens in my Organization in the VMware Cloud services documentation.
Manage the Server to Server OAuth Apps in Your VMware Cloud Organization
If you want to make REST API calls on behalf of your VMware Cloud organization, you must create a server to server OAuth app and exchange its credentials (ID and secret) for an access token. See Make API Calls by Using a Server to Server App.
To create and manage server to server OAuth apps in your VMware Cloud organization, you must hold the Organization Owner, Organization Administrator, or Organization Member with Developer roles.
You must assign each server to server app only with the minimum required roles for its tasks and add it to your VMware Cloud organization. The access tokens associated with a server to server app inherit its roles within the organizations it belongs. These roles include:
- At least one organization role.
- At least one Operations for Applications service role.
- Optionally, one or more custom roles.
You must also set each server to server app with a time to live (TTL), which is the time that the access tokens associated with the app will be valid. The credentials of a sever to server app never expire, so that your script can periodically exchange them for new access tokens. Only if you regenerate the app secret, you must update your scripts and API calls.
For details on how to create, view, and modify the details of the OAuth 2.0 apps in your organization, see How to manage OAuth 2.0 apps in the VMware Cloud services documentation.
Manage the Operations for Applications API Tokens for a Service Account
If you want to set up one of the integrations that still authenticate with an Operations for Applications API token, you must create a service account and generate an API token associated with it.
As a user with the Admin service role, you can generate and manage the API tokens for service accounts upon creation or at a later stage.
To generate and manage the API tokens for an existing service account:
- Log in to your service instance as an Admin user.
- Click the gear icon on the toolbar and select Accounts.
- On the Service Accounts tab, click the ellipsis icon next to the service account, and select Edit.
-
To generate a new token, in the Tokens section, click Generate.
You can have up to 20 tokens per service account at any given time. If you want to generate a new token but already have 20 tokens, you must revoke one of the existing tokens.
-
To revoke a token, click the Revoke button for the token.
Revoking a token cannot be undone.
-
To rename an API token, click the Edit icon for the token, enter the name, and press Enter.
-
- Select the appropriate permissions for the service account and click Update.
Manage the Operations for Applications API Tokens in Your Service Instance
As a user with the Admin service role, you can view and revoke the API tokens of any service account in your service instance.
- Log in to your service instance as an Admin user.
- Click the gear icon on the toolbar and select Accounts.
- Click the API Tokens tab.
You see the API tokens for all service accounts in a paginated table format.
On the API Tokens page, you can:
- Sort the API tokens table by column.
- Search and, optionally, save and share your search.
- Filter the API tokens by usage, particular accounts, or your saved search.
- Revoke an API token from the vertical ellipsis icon for the token.