I'm fairly experienced with Powershell and have used the Invoke-RestMethod cmdlet, and vendor documentation, to automate some things before. I've just inherited management of an HA pair of F5 BIG-IPs. We're not in a position to get BIG-IQ right now, and from looking at notes the previous admin was just logging in and manually creating a UCS archive and downloading it on the weekly.
Of course my first thought was that I could automate this. I was able to successfully authenticate against one of the appliances with Invoke-RestMethod and do an HTTP GET to retrieve a list of current UCS files present. However, when I change the method to POST and add in the appropraite Body parameters (in JSON) I get a 403 forbidden error:
{"code":403,"message":"Operation is not allowed on component /sys/ucs.","errorStack":[],"apiError":1}
the documentation here seems to allude that this should be possible:
I have not tried another account as this is my account, but I could potentially create an account just for this. However, my account is an admin, and it does let me authenticate via the API to do a GET request and get a list of the UCS archives already on the appliance, for which there is one. And there is no name collision. This is from F5's documentation:
However, in another document somewhere else they only provide the filename with no full path, and no file extension. I've tried all of those combos with the same result.
all produce the same error message. I'm currently attempting to combine some methodology from the POSH-LTM-Rest module found here and the code i've been working on already. The documentation doesn't call it out anywhere but I wonder if you have to retrieve an F5 session token before you can do anything using the POST method.
I'm on a Windows box though, and something about that doesn't translate well to Curl.exe. It gets mad about non-json content. So, I spun up a Linux VM really quick and ran that exact syntax and it didn't error out AND it created a test.ucs. Now I just need to understand what's different between that curl request and what i'm doing with Invoke-RestMethod in Powershell, because I'm not seeing it.
I changed how i'm generating the $Body variable to just be a here-string with straight up json in it, instead of a hashtable i convert to json, and the request worked.
omg...it wasn't even that. It was case. Even though Powershell is case insensitive I'm so used to doing camel case everywhere that I did "Command" and "Name" instead of "command" and "name" for my json body.
There are a couple nuances with downloading files. First, the /sys/global-settings has a file whitelist attribute that must have your folder location listed. Then, you have to actually have a restjavad worker attached to that location. AFAIK, there are only a few locations you can upload/download from with iControl REST:
thanks JRahm. I wanted to download UCS files which look to reside in /var/local/ucs/* so I should have been all good to go, but when I downloaded a UCS it was only 1MB. Then I read in an F5 doc that the iControl REST API is limited to 1MB downloads.
Re-reading the F5 Python SDK I see they managed to build a little loop that gets the file size and somehow manages to download it in little 1MB chunks. But, according to one of the "issues" posted in Github, it's incredibly slow. So, I've decided to just give up on scripting this with Powershell.
I can create a UCS archive via Powershell, and I can list the current ones, but it looks like downloading is a no go. Save for doing something like SCP or something.
yeah, you have to track the content-range header and grab chunks at a time. That's what we do with the python sdks. we have download/upload methods that manage that for us.
that's what I was seeing looking through the SDK on github. While I can kind of make sense of it, I don't know Invoke-RestMethod and the Content-Range header well enough to begin to tackle this.
Unfortunately F5 built in a byte limit on the API. Their own Python module is built around this limitation and handles chunking up the download in to pieces and streaming it to a file. Powershell cannot do this by some magic and it would require a lot of scaffolding.
I eventually gave up and used the Posh-SSH module to just SCP the UCS archive off of the appliance and to a network share.
