Forum Discussion

KeyClacker's avatar
KeyClacker
Icon for Altocumulus rankAltocumulus
Feb 28, 2022

Powershell: Invoke-RESTmethod on /mgmt/tm/sys/ucs (403) Forbidden error

I'm fairly experienced with Powershell and have used the Invoke-RestMethod cmdlet, and vendor documentation, to automate some things before.  I've just inherited management of an HA pair of F5 BIG-IPs.  We're not in a position to get BIG-IQ right now, and from looking at notes the previous admin was just logging in and manually creating a UCS archive and downloading it on the weekly.

Of course my first thought was that I could automate this. I was able to successfully authenticate against one of the appliances with Invoke-RestMethod and do an HTTP GET to retrieve a  list of current UCS files present.  However, when I change the method to POST and add in the appropraite Body parameters (in JSON) I get a 403 forbidden error:

 

 

{"code":403,"message":"Operation is not allowed on component /sys/ucs.","errorStack":[],"apiError":1}

 

 

the documentation here seems to allude that this should be possible:

K13225405 

Here's more or less what I'm working with so far:

 

 

$uri = "/mgmt/tm/sys/ucs"
$BigIP = "192.168.1.10"
$link = "https://$BigIP$uri"
$headers = @{}
$headers.Add("ServerHost", $Bigip)
$headers.Add("Content-Type", "application/json")
$Body = @{
    Name = "/var/local/ucs/test_ucs.ucs"
    Command = "save"
}
$mycreds = Get-Credential

$obj = Invoke-RestMethod -Method POST -Headers $headers -Body ($Body | ConvertTo-Json) -Uri $link -Credential $mycreds

 

 

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus

    i suggest you use f5 python sdk api: f5-sdk

    here is the code to save sys ucs file and name its filename "/var/local/ucs/test.ucs":

    from f5.bigip import ManagementRoot

    mgmt = ManagementRoot("192.168.5.109", 'admin', 'xt32112300')

    """save sys ucs name /var/local/ucs/test.ucs"""
    mgmt.tm.sys.ucs.exec_cmd(command='save', name='/var/local/ucs/test.ucs')

    """check system all sys ucs filename"""
    for i in mgmt.tm.sys.ucs.load().items:
    print(i['apiRawValues']['filename'])

     

    • KeyClacker's avatar
      KeyClacker
      Icon for Altocumulus rankAltocumulus

      Appreciate that, but we don't use Python anywhere in our organization.  If Python can do it using the same REST API then I would think anything could.

  • Did you try to make the same POST request with a different UCS name ?

    Maybe there is already an existing one on your box with the same name, in that case you request could be blocked to avoid to override it.

    • xuwen's avatar
      xuwen
      Icon for Cumulonimbus rankCumulonimbus

      use datetime to rename format ucs filename and make it not be the same

      from datetime import datetime

      '/var/local/ucs/test_{}.ucs'.format(datetime.now().strftime('%Y-%m-%d'))

       

    • KeyClacker's avatar
      KeyClacker
      Icon for Altocumulus rankAltocumulus

      I have not tried another account as this is my account, but I could potentially create an account just for this. However, my account is an admin, and it does let me authenticate via the API to do a GET request and get a list of the UCS archives already on the appliance, for which there is one. And there is no name collision.  This is from F5's documentation:

      <POST> /mgmt/tm/sys/ucs -d '{"command":"save","name":"/var/local/ucs/test_ucs.ucs"}'


      However, in another document somewhere else they only provide the filename with no full path, and no file extension.  I've tried all of those combos with the same result. 

      • SamCo's avatar
        SamCo
        Icon for Cirrus rankCirrus

        Maybe I have not been clear enough : the credential are fine, I mean the filename :

        You have a 403 for "/var/local/ucs/test_ucs.ucs", have you tried "/var/local/ucs/test_ucs_XXX.ucs" ?

         

        Cheers,

        Sam

  • There are a couple nuances with downloading files. First, the /sys/global-settings has a file whitelist attribute that must have your folder location listed. Then, you have to actually have a restjavad worker attached to that location. AFAIK, there are only a few locations you can upload/download from with iControl REST:

    Description Method URI Path
    ASM POST /mgmt/tm/asm/file-transfer/uploads/ ??
    ASM GET /mgmt/tm/asm/file-transfer/downloads/ ??
    image POST /mgmt/cm/autodeploy/software-image-uploads/ /shared/images/
    image/files GET /mgmt/cm/autodeploy/software-image-downloads/ /shared/images/
    qkview GET /mgmt/shared/file-transfer/qkview-downloads/ /var/tmp/
    ucs GET /mgmt/shared/file-transfer/ucs-downloads/ /var/local/ucs/
    files POST /mgmt/shared/file-transfer/uploads/ /var/config/rest/downloads/

    I updated my Demystifying iControl REST article on transferring files with this expanded table.

    • KeyClacker's avatar
      KeyClacker
      Icon for Altocumulus rankAltocumulus

      thanks JRahm. I wanted to download UCS files which look to reside  in /var/local/ucs/* so I should have been all good to go, but when I downloaded a UCS it was only 1MB. Then I read in an F5 doc that the iControl REST API is limited to 1MB downloads. 

      Re-reading the F5 Python SDK I see they managed to build a little loop that gets the file size and somehow manages to download it in little 1MB chunks. But, according to one of the "issues" posted in Github, it's incredibly slow.  So, I've decided to just give up on scripting this with Powershell.  

      I can create a UCS archive via Powershell, and I can list the current ones, but it looks like downloading is a no go. Save for doing something like SCP or something. 

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin

        yeah, you have to track the content-range header and grab chunks at a time. That's what we do with the python sdks. we have download/upload methods that manage that for us.