starred/proxmoxer
1
0
Fork 0
mirror of https://github.com/proxmoxer/proxmoxer.git synced 2026-04-25 07:06:00 +03:00
Code Issues 19 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #66] What privileges necessary? #36

New issue
Closed
opened 2026-02-27 15:46:07 +03:00 by kerem · 2 comments
kerem commented 2026-02-27 15:46:07 +03:00
Owner
Copy link

Originally created by @FuzzyMistborn on GitHub (Sep 21, 2021).
Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/66

I'm looking to lock down access to my Proxmox server and am using Ansible to create VMs/LXCs. Currently I'm using an API token and with the PVEAdmin role but I'm wondering if I can reduce that still further. From playing around a bit it looks like I need a cross between the PVEDatastoreAdmin and PVEVMAdmin roles (https://pve.proxmox.com/wiki/User_Management#pveum_permission_management). Just trying to get a sense of what privileges are specifically required. This may not be the right place to ask (may need to go to ansible) so you can tell me to go there and I won't be offended :-)

Originally created by @FuzzyMistborn on GitHub (Sep 21, 2021). Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/66 I'm looking to lock down access to my Proxmox server and am using Ansible to create VMs/LXCs. Currently I'm using an API token and with the PVEAdmin role but I'm wondering if I can reduce that still further. From playing around a bit it looks like I need a cross between the PVEDatastoreAdmin and PVEVMAdmin roles (https://pve.proxmox.com/wiki/User_Management#pveum_permission_management). Just trying to get a sense of what privileges are specifically required. This may not be the right place to ask (may need to go to ansible) so you can tell me to go there and I won't be offended :-)
kerem commented 2026-02-27 15:46:07 +03:00
Author
Owner
Copy link

@jhollowe commented on GitHub (Sep 21, 2021):

Unless someone else can give an exact answer, the best I can say is to look at the Ansible code, what API calls it is making, and see in the PVE API documentation what permissions are needed for each. Each endpoint in the API docs should tell you the permission needed and the path it is needed on. I would start with no permissions and add the needed ones until Ansible does what you want. Being able to create LXC containers will obviously be greater permissions than just reading state from PVE, but the Home Assistant PVE integration only needs Auditor role.

I would also suggest creating a role for ansible in PVE rather than setting all the permissions on the API Token itself so you can easily revoke it or create additional tokens without having to reinvent the wheel with your permissions.

<!-- gh-comment-id:924374786 --> @jhollowe commented on GitHub (Sep 21, 2021): Unless someone else can give an exact answer, the best I can say is to look at the Ansible code, what API calls it is making, and see in [the PVE API documentation](https://pve.proxmox.com/pve-docs/api-viewer/index.html) what permissions are needed for each. Each endpoint in the API docs should tell you the permission needed and the path it is needed on. I would start with no permissions and add the needed ones until Ansible does what you want. Being able to create LXC containers will obviously be greater permissions than just reading state from PVE, but the [Home Assistant PVE integration](https://www.home-assistant.io/integrations/proxmoxve/) only needs Auditor role. I would also suggest creating a role for ansible in PVE rather than setting all the permissions on the API Token itself so you can easily revoke it or create additional tokens without having to reinvent the wheel with your permissions.
kerem commented 2026-02-27 15:46:07 +03:00
Author
Owner
Copy link

@FuzzyMistborn commented on GitHub (Sep 22, 2021):

Thanks, I'll take a look. Appreciate it!

<!-- gh-comment-id:924549733 --> @FuzzyMistborn commented on GitHub (Sep 22, 2021): Thanks, I'll take a look. Appreciate it!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
release/2.3.0
develop-1.x
2.3.0
2.2.0
2.1.0
2.0.1
2.0.0
1.3.1
1.3.0
1.2.0
1.1.1
1.1.0
1.0.4
1.0.3
0.2.6
0.2.5
0.2.4
0.2.3
0.2.2
0.2.1
0.2.0
0.1.8
0.1.7
0.1.6
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
Labels
Clear labels   
backend:https

   
backend:local

   
backend:openssh

   
backend:ssh_paramiko

   
pull-request

Mirrored from GitHub Pull Request

  
status:ansible-issue

   
status:help-wanted

   
status:info-needed

   
status:proxmox-issue

   
status:review-needed

   
type:bug 🐞

   
type:dependency ⛓️

   
type:docs 📝

   
type:enhancement

  
type:maintenance 🛠️

   
type:meta

   
type:question

  
type:request

  
type:testing 🧪

   
version:1.x

   
version:latest

   
version:py2

   
version:py3
No labels
backend:https
backend:local
backend:openssh
backend:ssh_paramiko
pull-request
status:ansible-issue
status:help-wanted
status:info-needed
status:proxmox-issue
status:review-needed
type:bug 🐞
type:dependency ⛓️
type:docs 📝
type:enhancement
type:maintenance 🛠️
type:meta
type:question
type:request
type:testing 🧪
version:1.x
version:latest
version:py2
version:py3
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/proxmoxer#36
No description provided.