Authenticate to vRealize Orchestrator API using PowerShell
I’m working on a project that requires direct interaction with the vRO API from a third party system. Maybe I’m getting less effective at using Google in my old age, but I had a heck of a time finding good solid code for authenticating to the API using anything, including PowerShell.
Typically I’d use Invoke-vRARestMethod from PowerVRA for this, but unfortunately I had some additional requirements that mandate me using a bearer token.
As a point of reference, you can view all of of the available APIs for vRealize Automation by navigating to this url: https://{your-vra-url}/automation-ui/api-docs/. We’ll be working with the “Orchestrator” API
The function below will return a bearer token, which you can use in future API calls to vRA.
function Get-BearerToken { | |
param ( | |
$vra_server, | |
$password, #Make sure you're passing a value securely here, and not using plain text... be smart :-) | |
$username, | |
$domain | |
) | |
# Create headers for authentication and bearer token generation | |
$authHeaders = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" | |
$authHeaders.Add("Content-Type", "application/json") | |
$authHeaders.Add("Accept", "application/json") | |
# Create body for authentication and bearer token generation | |
$authBody = "{ | |
`n `"password`": `"passwordString`", | |
`n `"username`": `"usernameString`", | |
`n `"domain`": `"domainString`" | |
`n}" | |
# Replace values in body with variables | |
$authBody = $authBody -Replace("passwordString",$password) | |
$authBody = $authBody -Replace("usernameString",$username) | |
$authBody = $authBody -Replace("domainString",$domain) | |
# Set URI for authentication and bearer token generation | |
$authURI = "https://$($vra_server)/csp/gateway/am/api/login?cspAuthToken" | |
# Make API call with headers and body | |
$response = Invoke-RestMethod $authURI -Method 'POST' -Headers $authHeaders -Body $authBody | |
# Record bearer token for later use | |
$bearer_token = "Bearer " + $response.cspAuthToken | |
return $bearer_token | |
} |
Param’s:
Line 3: vra_server – the fqdn of your vRA 8 instance
Line 4: password – password associated with your vRA 8 account used to authenticate. As mentioned, please be smart here. Plantext passwords are bad.
Line 5: username – Unlike vRA 7, vRA 8 needs you to split your username and domain apart. For example, in vRA 7 you’d authenticate using the username jon.smith@rainpole.com, where in vRA 8 you authenticate using just the username jon.smith
Line 6: domain – This is where the domain goes (Example: rainpole.com)
Lines 14-24: We’re setting the body up to be included in the rest request. There’s some special formatting required so we’re using the replace method to modify the string.
Line 27: Build a simple variable with the URI used for authentication. More can be found on this in the API documentation mentioned above.
Lines 29-35: Make the API call, build the bearer token (essentially add the word “Bearer ” to the beginning of the authentication token), and return it.
Short and sweet. I’ll be adding some more snippets and problems in the future.