For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Oct 07, 2025
Solved

Ansible - Upload Certificates requires Administrator Role?

Hi,

 

I'm trying to give people the opportunity to manage their SSL Certificates themself. So I build something, that triggers an ansible playbook upload and update certificates on a LTM.

 

The user has the role "Certificate Manager". 

When logged into the GUI with that user (for testing purpose), one can upload, update, delete certifactes and keys, no problem.

When trying to use an ansible playbook with the credentials of that "Certificate Manager" Role user, the playbook fails with the following message:

{ "msg": "Failed to upload the file." }



For uploading/updating certificates and keys I use the F5 ansible modules:

  • f5networks.f5_modules.bigip_ssl_certificate
  • f5networks.f5_modules.bigip_ssl_key

When I change the user-role mapping from "Certificate Manager" to "Adminstrator" the playbooks works as inspected.

I also tried the following role mappings, none of which had the permission to upload certificates and keys.

  • Resource Administrator
  • Operator
  • Application Editor
  • Manager

 

Do i really have to use an user with Administrator Role?

This would be a huge security issue in my opinion.

 

Supplement:

I've noticed, that "Terminal Access" was disabled for the specific user. I set it to "tmsh" and tried again.

This time, I was at least able to run the playbook successfully, when the certificate was already the same I've tried to upload. So the result of ansible change was false.
But uploading new certificates is still not possible.

application delivery
deployment
devops
  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Oct 07, 2025

    Hi Ichnafi​ ,

     

    Unfortunately, admin role is needed in this use case: REST API Access.  I would say to consider an automation server and apply Firewall/BIG-IP source IP restrictions from that automation server and run the ansible playbook from there with the admin role.  

3 Replies

  • Jeffrey_Granier's avatar
    Jeffrey_Granier
    Icon for Employee rankEmployee
    Oct 07, 2025

    Hi Ichnafi​ ,

     

    Unfortunately, admin role is needed in this use case: REST API Access.  I would say to consider an automation server and apply Firewall/BIG-IP source IP restrictions from that automation server and run the ansible playbook from there with the admin role.  

  • Ichnafi's avatar
    Ichnafi
    Icon for Cirrostratus rankCirrostratus
    Oct 08, 2025

    Hello Jeffrey_Granier​ ,

    thank you for the clarification. The mentioned restrictions are in place anyways. I just wanted to restrict it as much as possible, because it's the right thing to do. 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 13, 2025

    One thing you can do as an alternate role is "pull" certificates:

     

    curl -sk -u certadmin:certadmin \
-X POST -H "Content-Type: application/json" \
-d '{"command": "install", "name": "myserver.key", "from-url": "https://staging/myserver.key"}' https://10.1.1.6/mgmt/tm/sys/crypto/key
 
curl -sk -u certadmin:certadmin \
-X POST -H "Content-Type: application/json" \
-d '{"command": "install", "name": "myserver.crt", "from-url": "https://staging/myserver.crt"}' https://10.1.1.6/mgmt/tm/sys/crypto/cert