vRealize Operations Cloud Operations DevOps Tech Tips

Using AD Credentials with the vR Ops REST API

Many IT admins are using the vRealize Operations Manager (vR Ops) REST API available for interacting with vR Ops outside of the user interface.  I got a question today asking if it was possible to use AD or LDAP credentials with the REST API.  It is possible and it is also very easy to use.  In this blog post I will show you how.

Basic Authentication: OK for Testing, not for Production

When using the vR Ops REST API, I typically just use basic authentication and provide the local “admin” user credentials.  Mostly that is because I’m lazy and only testing things out or exploring possibilities.  However, you likely want to use the API in production.  In that case, it is good to have the REST requests leverage an AD, LDAP or vCenter account.  Using basic authentication, you cannot use anything other than a local account As Birk reports below in the comments, it is possible to use any auth source with basic authentication.  This blog post focuses on using the token method for authentication.  For other sources, the /auth endpoint supports using any of the authentication sources you have set up.  The endpoint will provide a token (also known as a bearer token) for subsequent requests. In this blog post, I will explain how to use the /auth endpoint to request a bearer token.

How to Request a vR Ops Token

First, I am going to be using the Postman REST client and will provide a link to the Postman collection I maintain for vR Ops’ REST API.  Check that link frequently as I am always adding new and useful REST calls to that collection.  If you are not familiar with Postman, it is a great tool to use when testing any REST API and I use it quite a bit with all of VMware’s RESTful APIs, including vR Ops.

I have an environment set up in Postman for my lab vR Ops instance, which includes many variables like the FQDN, account info, etc.  For this example, the two variables I will use are the {{vrops}} and {{bearerToken}}.


The request is a POST method to /suite-api/api/auth/token/acquire and I also included two headers for JSON content, because I prefer to work with JSON (by default the API expects and responds with XML).


The body of the request is a very simple, three parameter JSON string.


Postman’s Tests scripts can be used to update your environment variables.  In my example, I’m going to update that {{bearerToken}} variable with the response.  First, take a look at the response I get on a successful request for a token.


I have my token, something called validity and a human readable expiry string.  What’s up with the validity?  Basically that’s the machine readable expiration, in milliseconds from January 1, 1970 (commonly referred to as a Unix timestamp).  This is helpful if you need to validate the token in code or a script.

How to Use the Token in a Request

Now I have a token, so I’m going to use the Test script feature in Postman.  This will update my environment variable so I can use that token to authenticate subsequent requests.  Here’s what the test script looks like in Postman.


Easy.  Now when I run the request that token will be updated every time.  To use the token, I simply update the Authorization header in the request with “vRealizeOpsToken {{bearerToken}}” as shown below.  Be sure to set the Authorization tab to None, otherwise it will overwrite the Authorization header.



That’s it, you are now making requests using any available authentication source!


4 comments have been added so far

  1. Hi John,

    you can use external Authentication sources for Basic Auth too. I had to do that when Token Auth was broken in an earlier vRops version.

    This is my Powershell Code to do it.

    $RestHeaders = New-Object ‘System.Collections.Generic.Dictionary[[String],[String]]’
    $RestHeaders.Add(‘Content-Type’, ‘application/json;charset=utf-8’)
    $RestHeaders.Add(‘Accept’, ‘application/json’)
    # Basic Auth
    $vRopsUserAndDomain = $vropsuser + ‘@’ + $vropsauthsource
    $vRopsUserDomainAndPass = “$($vRopsUserAndDomain):$($vropspass)”
    $vRopsUserBytes = [System.Text.Encoding]::ASCII.GetBytes($vRopsUserDomainAndPass)
    $vRopsUserBase64 = [System.Convert]::ToBase64String($vRopsUserBytes)
    $RestHeaders.Add(‘Authorization’, “Basic $($vRopsUserBase64)”)

    $AuthInfo = Invoke-RestMethod -Headers $RestHeaders -Uri $($vRopsUrl + ‘/api/auth/token/acquire’) -Method:Post -Body $BodyAuthInfo -ContentType ‘application/json;charset=utf-8’

    kind regards,

    1. Thanks, Birk. Very helpful. I noted that you used the authentication source name as the ‘domain’ name in a traditional UPN format. My mistake was using the full AD domain instead (for example john@mylab.local). By the way, anyone interested in using Powershell for vR Ops interaction should check out my posts on using the PowerCLI module for vR Ops – it’s a three part series so be sure to review them all.

    1. Right. Anyone reading this just needs to understand that the basic authentication will work using ‘username’ @ ‘nameOfAuthSource’

Leave a Reply

Your email address will not be published.