An API token (also known as a refresh token) is a key assigned to an individual account used to authenticate to the service via an API. The API token can generate an access token, which can then be used to make API calls to the Organization.
Follow these steps to create an API token:
- After logging in to the VMware Cloud Console, from the top-right drop-down menu, navigate to the My Account section:
Figure 9.2 – Navigate to My Account on the VMware Cloud Console
- From the API Tokens tab, click on GENERATE TOKEN to create a new API token:
Figure 9.3 – Access API Tokens via the VMware Cloud Console
An Organization can have multiple tokens. Each token has its own set of Organization roles and service roles. Organization roles specify the privileges that an organization member has over organization resources, while service roles determine the privileges when accessing a particular VMware Cloud service.
Figure 9.4 shows the user interface to generate a new API token and assign Organization roles and service roles to the token via the VMware Cloud Console:
Figure 9.4 – Generating API tokens with Organization and service roles
Here are some more details about Organization roles and service roles:
• Organization roles: The CSP API should have any of the following Organization roles:
• Organization member
• Organization administrator
• Organization owner
• Service roles: The CSP API should also have a service role. A single token can be granted roles for multiple CSP services. A few examples of service roles are the following:
• VMC on AWS:
• NSX Cloud Admin
• NSX Cloud Auditor
• Administrator (Delete Restricted)
• Administrator
• VMware HCX:
• Administrator
• VMware Cloud DR:
• Global Console Admin
• Subscription Admin
• Deployment Admin (Activation)
• Deployment Admin (Deactivation)
• Orchestrator Admin
• Data Protection Auditor
• Recovery Admin
• Protection Admin
• Recovery Tester
• Recovery SDDC Admin
All the updated CSP roles can be found in the VMware Product Documentation at https://docs.vmware.com/en/VMware-Cloud-services/services/Using-VMware-Cloud-Services/GUID-C11D3AAC-267C-4F16-A0E3-3EDF286EBE53.html.
After generating the API token, make sure to securely copy and store it because it cannot be retrieved again. It is crucial to protect the token as it grants access based on the assigned roles. Typically, the API token has a default lifetime of six months, but it can be adjusted to a shorter or longer period to comply with your organization’s policies and requirements. Additionally, it is always possible to revoke the API token manually before its expiration.