Forum Discussion

srinidhi12's avatar
Dec 02, 2022
Solved

F5 BIG IP iControl API Authentication

Hi All,

I am trying to access the icontrol API and collect the BIG IP logs.

curl -sku admin:admin -H "Content-Type: application/json" -X GET https://x.x.x.x/mgmt/tm/sys/log/ltm/stats

I am able to get the logs using the admin:admin user credentials.

But I wanted to know if there is any other way to access the api without admin user credentials. something like an API key which can be used only for API access as I cannot share the admin credentials with external users.

Please help me with the API authentication options.

Thanks!

  • Kai_Wilke's avatar
    Kai_Wilke
    Dec 05, 2022

    Hi srinidhi,

    the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it. 

    I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste... 

    You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.   

     

     

    when HTTP_REQUEST {
    	
    	# Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint
    				
    	switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" {
    			
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" {
    			# Allow the request	
    		}
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" {
    			# Allow the request	
    		}
    		default {
    			# Deny all remaining requests	
    			HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
    			return
    		}
    		
    	}
    	
    	# Sanitize inbound HTTP request headers and inject F5 Admin Credentials
    		
    	HTTP::header sanitize 
    	HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]"
    	
    	# Forward the request to REST API (using Route-Domains other than 0 is required) 		
    	node 10.0.17.200%1 443
    	
    }
    when HTTP_RESPONSE {
    
    	# Sanitize outbound HTTP request headers
    	HTTP::header sanitize 
    	HTTP::header remove "Set-Cookie"
    
    }
    
    
    ltm virtual VS_for_restricted_API_access {
        destination 10.0.18.23%1:https
        ip-protocol tcp
        mask 255.255.255.255
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl {
                context serverside
            }
            tcp { }
        }
        rules {
            iRule_for_restricted_API_access
        }
        serverssl-use-sni disabled
        source 0.0.0.0%1/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
    }

     

     

    Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.

    Cheers, Kai

  • Kai_Wilke's avatar
    Kai_Wilke
    Dec 06, 2022
    • This iRule checks for the PERM_API_KEY, from where do we get the perm_api_key

    Its a free-text value. Simply replace the value in the iRule i send your with a long password string like "hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm".

    Then send the string to the guy who needs to access to your API. Tell the guy to use this string as the value in a custom HTTP Header called "PERM_API_KEY" when accessing your API. Its basically a shared-key authentication used between the API caller and your F5. 

    curl -H "PERM_API_KEY: hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm" https://10.0.17.200/mgmt/tm/sys/log/audit/stats
    • Can you let me know if this below line will be replaced with the auth token and how does the authentication works 

    The F5 injects Basic credentials to the HTTP request before forwarding to REST API. You may create a new user account with at least Admin or Auditor permissions to read the logs. Then replace "admin:admin" with "Username:Password" of the just created user account.

    You may also base64 encode the "Username:Password" string offline an replace the line with:

    HTTP::header insert "Authorization" "Basic YOURBASE64CODE=="

    It will basically masks the contained password value a bit...

    Cheers, Kai

20 Replies

  • Hi srinidhi,

    iControl REST has its own RBAC, which can be used to grant access to specific API endpoints to non-admin users. You may read the following article to see how it should be configured...

    iControl REST Fine-Grained Role Based Access Contr... - DevCentral (f5.com)

    iControl REST Role Based Access Control (RBAC) for remotely authenticated users (f5.com)

    Alternatively may also use a Virtual Server front-ending your REST-API as alternative access method. By doing so you could Pre-Auth users (e.g. Certifictate, BASIC, HTTP header providing permanent API-Key) via exteral Repositories (e.g. User Names / Credentials / Keys / Settings stored in a Data-Group), apply restrictions by filtering HTTP requests (e.g. user ABC is only allowed to GET /mgmt/tm/sys/log/ltm/stats) and finally forward the request to your REST-API by replacing the client-side credentials with F5-Admin BASIC credentials on the server side.

    Cheers, Kai

     

    • srinidhi12's avatar
      srinidhi12
      Icon for Cirrus rankCirrus

      Hey Kai, thanks for the info, 

      As you mentioned, can you please let me know how to grant user access to specific API endpoint.

      That would be a great help.

       

      • srinidhi12's avatar
        srinidhi12
        Icon for Cirrus rankCirrus

        I have few doubts on giving access only to API:

        • Can this be done from the BIGIP web UI
        • Does this process require BIG-IQ 

        Please let me know if I am missing on any detail