I recently faced this issue while doing a repro, I accidentally deleted the configadmin user in my lab and wasn't able to login to vRA anymore.
As there were no other users who had the admin privileges to log in to the vRA either on the system domain or on the integrated AD domain.
Here in this article, I am explaining the detailed steps I followed to re-create the user and its permissions using API.
Note: I re-created the user (configadmin) in vIDM, but the configadmin was still unable to authenticate in vRA as there were no permissions assigned to the user in vRA. Using the APIs I assigned the permission (org_owner) to the user.
I used the POSTMAN tool to execute the API's.
First, we need to retrieve the platform operator token from vRA, to do that you can execute the below command:
Step-1:
SSH to vRA node (If it is a clustered deployment you can SSH to any node)
root@vra [ ~ ]# vracli vidmYou will see the below response and from the response get the ClientID and ClientSecret properties
Now you have the ClientID and ClientSecret, we need to encode these in base64 format (ClientID:ClientSecret). I used an online tool to encode it with base64
Once you have encoded the key, you can use it as Basic Authorization in next API call
Step-2:
You can go ahead and execute the below API to get the access token:
POST https://{{vra-fqdn}}/csp/gateway/am/auth/authorizeAuthorization:
Basic
Paste the token copied from the above post encoding
Headers:
Key Value
Accept application/json
Content-Type application/json
Authorization Basic Paste the token copied from Step-1
Body:
Select x-www-form-urlencoded
Key Value
grant_type client_credentials
Representation:
"scope": "admin",
"access_token": " ",
"id_token": " ",
"token_type": "Bearer",
"expires_in": 28799Below are the screenshot for your reference:
Body:
You can retrieve the access token to use in the next API call
Step-3:
We need to retrieve the ORG ID, we can use the below API
GET https://{{vra-fqdn}}/csp/gateway/am/api/orgsAuthorization:
Bearer
Paste the access token copied from the above API output
Headers:
Key Value
Accept application/json
Content-Type application/json
Representation:
{
"refLinks": [
"/csp/gateway/am/api/orgs/a0362cd8-90af-4c74-bf6c-27ff577d8324"
]
}
Step-4: We need to execute the API to update the user permission for configadmin user.
PATCH https://{{vra-fqdn}}/csp/gateway/am/api/users/configadmin/orgs/${ORG ID}/roles${ORG ID} - Paste the ORG ID retrieved in Step-3
Authorization:
Bearer
Paste the access token copied from the above API output
Headers:
Key Value
Content-Type application/json
Body:
{
"rolesToAdd": [
{
"name": "org_owner",
"membershipType": "DIRECT"
}
]
}Representation:
Once you have set the org_owner permission to the configadmin user, you should be able to login to the vRA
Post logging in you need to set the required permissions to the configadmin user as shown below:
TIP: If you aren't comfortable using POSTMAN, you can use the API's via CURL:
API to retrieve the access token:
curl --location --request POST 'https://${vRA FQDN}/csp/gateway/am/api/auth/authorize' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Paste the token which was encoded above' \
--data-urlencode 'grant_type=client_credentials'API to get the ORG ID:
curl -X 'GET' \
'https://vra.corp.local/csp/gateway/am/api/loggedin/user/orgs' \
-H 'accept: */*'API to update the user permission:
curl -k -X PATCH https://${vRA FQDN}/csp/gateway/am/api/users/${USER NAME}/orgs/${ORG ID}/roles
-H Authorization: Bearer ${access_token from the previous request}
-H content-type: application/json
-d {
"roleNamesToAdd": [
"org_owner"
]
}Hope, this article helps you in recovering the configadmin user be following these steps.
Comments