Forum Discussion
F5 BIG IP iControl API Authentication
- Dec 05, 2022
Hi srinidhi,
the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it.
I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste...
You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.
when HTTP_REQUEST { # Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" { "InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" { # Allow the request } "InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" { # Allow the request } default { # Deny all remaining requests HTTP::respond 403 content "Access Denied" "Content-Type" "text/html" return } } # Sanitize inbound HTTP request headers and inject F5 Admin Credentials HTTP::header sanitize HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]" # Forward the request to REST API (using Route-Domains other than 0 is required) node 10.0.17.200%1 443 } when HTTP_RESPONSE { # Sanitize outbound HTTP request headers HTTP::header sanitize HTTP::header remove "Set-Cookie" }
ltm virtual VS_for_restricted_API_access { destination 10.0.18.23%1:https ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { iRule_for_restricted_API_access } serverssl-use-sni disabled source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.
Cheers, Kai
- Dec 06, 2022
- This iRule checks for the PERM_API_KEY, from where do we get the perm_api_key
Its a free-text value. Simply replace the value in the iRule i send your with a long password string like "hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm".
Then send the string to the guy who needs to access to your API. Tell the guy to use this string as the value in a custom HTTP Header called "PERM_API_KEY" when accessing your API. Its basically a shared-key authentication used between the API caller and your F5.
curl -H "PERM_API_KEY: hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm" https://10.0.17.200/mgmt/tm/sys/log/audit/stats
- Can you let me know if this below line will be replaced with the auth token and how does the authentication works
The F5 injects Basic credentials to the HTTP request before forwarding to REST API. You may create a new user account with at least Admin or Auditor permissions to read the logs. Then replace "admin:admin" with "Username:Password" of the just created user account.
You may also base64 encode the "Username:Password" string offline an replace the line with:
HTTP::header insert "Authorization" "Basic YOURBASE64CODE=="
It will basically masks the contained password value a bit...
Cheers, Kai
Hi srinidhi,
iControl REST has its own RBAC, which can be used to grant access to specific API endpoints to non-admin users. You may read the following article to see how it should be configured...
iControl REST Fine-Grained Role Based Access Contr... - DevCentral (f5.com)
iControl REST Role Based Access Control (RBAC) for remotely authenticated users (f5.com)
Alternatively may also use a Virtual Server front-ending your REST-API as alternative access method. By doing so you could Pre-Auth users (e.g. Certifictate, BASIC, HTTP header providing permanent API-Key) via exteral Repositories (e.g. User Names / Credentials / Keys / Settings stored in a Data-Group), apply restrictions by filtering HTTP requests (e.g. user ABC is only allowed to GET /mgmt/tm/sys/log/ltm/stats) and finally forward the request to your REST-API by replacing the client-side credentials with F5-Admin BASIC credentials on the server side.
Cheers, Kai
Hey Kai, thanks for the info,
As you mentioned, can you please let me know how to grant user access to specific API endpoint.
That would be a great help.
- srinidhi12Dec 05, 2022Cirrostratus
I have few doubts on giving access only to API:
- Can this be done from the BIGIP web UI
- Does this process require BIG-IQ
Please let me know if I am missing on any detail
- Kai_WilkeDec 05, 2022MVP
Hi srinidhi,
the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it.
I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste...
You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.
when HTTP_REQUEST { # Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" { "InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" { # Allow the request } "InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" { # Allow the request } default { # Deny all remaining requests HTTP::respond 403 content "Access Denied" "Content-Type" "text/html" return } } # Sanitize inbound HTTP request headers and inject F5 Admin Credentials HTTP::header sanitize HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]" # Forward the request to REST API (using Route-Domains other than 0 is required) node 10.0.17.200%1 443 } when HTTP_RESPONSE { # Sanitize outbound HTTP request headers HTTP::header sanitize HTTP::header remove "Set-Cookie" }
ltm virtual VS_for_restricted_API_access { destination 10.0.18.23%1:https ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { iRule_for_restricted_API_access } serverssl-use-sni disabled source 0.0.0.0%1/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.
Cheers, Kai
- srinidhi12Dec 05, 2022Cirrostratus
Thank you Kai for the iRule coding below to use a Virtual Server to provide an alternative.
I will try this method in my BIG-IP. I am checking the irule code, so is this code needs to be run in the BIG-IP tmsh cli?
Meanwhile I justed wanted to know if it is possible to create a user with access only to specific iControl REST API endpoint. I hhave tried to create user with guest role from the UI, but I am unable to provide a custom role via curl command as mentioned in this link: linkhttps://community.f5.com/t5/technical-articles/icontrol-rest-fine-grained-role-based-access-control/ta-p/287641
Can you please help me with the commands to create a user and give access to read all log related endpoint, also I doubt there are multiple logs API endpoint so I should be created resource group that includes all these endpoints?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com