Using F5 REST API with roles

I recently learned that with version 12 comes the possibility to use roles with the REST API, but only when using token based authentication.

That’s fantastic! Finally there is a secure way of using the REST API without handing over administrative access.

Adding an example in Powershell and a link to an article on Devcentral about how to do it in Python.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	
$User = "myGuestUser"
$Password = "password"
	
#Create the string that is converted to Base64
$pair = $user + ":" + $Password

#Encode the string to base64
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))

#Add the "Basic prefix"
$basicAuthValue = "Basic $encodedCreds"

#Prepare the headers
$headers = @{
	"Authorization" = $basicAuthValue
	"Content-Type" = "application/json"
}

#Create the body of the post
$body = @{"username" = $User; "password" = $Password; "loginProviderName" = "tmos" }

#Convert the body to Json
$body = $Body | ConvertTo-Json

$response  = Invoke-WebRequest -Method "POST" -Headers $headers -Body $body -Uri "https://myltm/mgmt/shared/authn/login" 

#Extract the token from the response
$token = ($response.content | ConvertFrom-Json).Token.token

#Prepare a dictionary with the token
$headers = @{
	"X-F5-Auth-Token" = $token;
}

#Get a list of the ssl profiles of the box
$Response = Invoke-WebRequest -Method "GET" -Headers $headers -Uri "https://myltm.domain.local/mgmt/tm/ltm/profile/client-ssl"
$Profiles = ($response.Content | ConvertFrom-Json).items

Updating with code from the Powershell Guru Joel Newton on how to patch the token to make it valid for 10 hours instead of the default 20 minutes:

#####
#Setup
$LTMName = 'myltm'
$SecPswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential "username", $SecPswd

$AuthURL = "https://$LTMName/mgmt/shared/authn/login"
$JSONBody = @{username = $Credentials.username; password=$Credentials.GetNetworkCredential().password; loginProviderName='tmos'} | ConvertTo-Json
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

#Request the token
$Result = Invoke-RestMethod -Method POST -Uri $AuthURL -Body $JSONBody -Credential $Credentials -ContentType 'application/json'
$Token = $Result.token.token
#Add the token to our session
$session.Headers.Add('X-F5-Auth-Token', $Token)

#A UUID is returned by LTM v11.6. This is needed for modifying the token.
#For v12+, the name value is used.
if ($Result.token.uuid){
    $TokenReference = $Result.token.uuid;
} else {
    $TokenReference = $Result.token.name;
}

#If we want the token to be valid for a length other than the default of 20 minutes, this is how we modify it
#NB: Max value is 36000 seconds (10 hours)
#Let's set it to 1 hour
$TokenLifespan = 3600
$Body = @{ timeout = $TokenLifespan } | ConvertTo-Json
$Headers = @{
'X-F5-Auth-Token' = $Token
}

Invoke-RestMethod -Method Patch -Uri https://$LTMName/mgmt/shared/authz/tokens/$TokenReference -Headers $Headers -Body $Body -WebSession $session | Out-Null

# Add token expiration time to session
$ts = New-TimeSpan -Minutes ($TokenLifespan/60)
$date = Get-Date -Date $Result.token.startTime
$ExpirationTime = $date + $ts
$session.Headers.Add('Token-Expiration', $ExpirationTime)

I also recommend checking out Joels Powershell module at the Devcentral codeshare!

Related Posts

5 thoughts on “Using F5 REST API with roles

  1. Nice, Patrik. One note about auth tokens, though. By default, they’re only good for 20 minutes, though with a PATCH call, they can be extended up to 10 hours. If it’d be helpful, I could post the PS code I use in the New-F5Session function of my PS module to show how to patch the token.

    -Joel

    (Hope to see you at Agility.)

    1. Thanks Joel, that would be very appreciated!

      I will miss Agility this year because we have a new family member scheduled to arrive during that period. Fingers crossed for next year though!

      /Patrik

  2. Hey, Patrik,

    Here’s the code. Just fyi, I didn’t get an email notification when you posted, even though I signed up for them. Bummed that you won’t be at Agility but congrats on the new arrival! That’s awesome. Yep, let’s hope for next year. If I’m lucky enough to be an MVP then, I’ll finally get to travel somewhere, instead of it being in my hometown of Chicago.

    -Joel

    #####
    #Setup
    $LTMName = ‘myltm’
    $SecPswd = ConvertTo-SecureString “PlainTextPassword” -AsPlainText -Force
    $Credentials = New-Object System.Management.Automation.PSCredential “username”, $SecPswd

    $AuthURL = “https://$LTMName/mgmt/shared/authn/login”
    $JSONBody = @{username = $Credentials.username; password=$Credentials.GetNetworkCredential().password; loginProviderName=’tmos’} | ConvertTo-Json
    $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

    #Request the token
    $Result = Invoke-RestMethod -Method POST -Uri $AuthURL -Body $JSONBody -Credential $Credentials -ContentType ‘application/json’
    $Token = $Result.token.token
    #Add the token to our session
    $session.Headers.Add(‘X-F5-Auth-Token’, $Token)

    #A UUID is returned by LTM v11.6. This is needed for modifying the token.
    #For v12+, the name value is used.
    If ($Result.token.uuid){
    $TokenReference = $Result.token.uuid;
    }
    Else {
    $TokenReference = $Result.token.name;
    }

    #If we want the token to be valid for a length other than the default of 20 minutes, this is how we modify it
    #NB: Max value is 36000 seconds (10 hours)
    #Let’s set it to 1 hour
    $TokenLifespan = 3600
    $Body = @{ timeout = $TokenLifespan } | ConvertTo-Json
    $Headers = @{
    ‘X-F5-Auth-Token’ = $Token
    }

    Invoke-RestMethod -Method Patch -Uri https://$LTMName/mgmt/shared/authz/tokens/$TokenReference -Headers $Headers -Body $Body -WebSession $session | Out-Null

    # Add token expiration time to session
    $ts = New-TimeSpan -Minutes ($TokenLifespan/60)
    $date = Get-Date -Date $Result.token.startTime
    $ExpirationTime = $date + $ts
    $session.Headers.Add(‘Token-Expiration’, $ExpirationTime)

    1. Thanks for sharing Joel, I updated the post with your code. 🙂

      Weird about the mail, perhaps it got stuck in the spam folder? I assume you have RSS configured given how fast you commented?

      1. Nice! Cheers. I checked spam and didn’t see the first one, but this mail came through. I just set up basic email notification, so I can keep up with anything you post. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *