This document explains how to configure and use Proxmox API tokens for secure authentication.
API tokens provide several advantages over password authentication:
- Security: No need to store passwords in configuration files
- Granular Permissions: Tokens can have specific permissions
- Audit Trail: Token usage is logged separately
- Revocable: Tokens can be disabled without changing passwords
- Automation Friendly: Better for CI/CD and automated deployments
Your terraform.tfvars is configured with:
# API Token Authentication (Primary)
proxmox_api_token_id = "your-username@pam!your-token-name"
proxmox_api_token_secret = "your-token-secret"
# Password Authentication (Fallback)
proxmox_user = "your-username@pam"
proxmox_password = "your-password"The Terraform provider automatically uses API tokens when available:
provider "proxmox" {
endpoint = var.proxmox_api_url
# Use API token if provided, otherwise fall back to username/password
api_token = var.proxmox_api_token_id != "" ? "${var.proxmox_api_token_id}=${var.proxmox_api_token_secret}" : null
username = var.proxmox_api_token_id != "" ? null : var.proxmox_user
password = var.proxmox_api_token_id != "" ? null : var.proxmox_password
insecure = var.proxmox_tls_insecure
}Test your API token configuration:
# Test API token authentication
./scripts/test-proxmox-api-token.sh
# Test Terraform plan
terraform plan -target=proxmox_virtual_environment_vm.bumblebee- Log into Proxmox web interface
- Go to Datacenter → Permissions → API Tokens
- Look for token:
your-username@pam!your-token - Ensure it's enabled and has proper permissions
The token should have:
- Path:
/(root) - Role:
Administratoror custom role with VM management permissions - Privilege Separation: Disabled (for full access)
If the token doesn't exist or needs to be recreated:
# SSH to Proxmox host
ssh root@YOUR_PROXMOX_IP
# Create API token
pveum user token add your-username@pam your-token --privsep=0
# The command will output the secret - update terraform.tfvars with itFor VM management, the token needs these permissions:
VM.Allocate- Create/delete VMsVM.Config.Disk- Manage VM disksVM.Config.Memory- Manage VM memoryVM.Config.Network- Manage VM networkVM.Config.Options- Manage VM optionsVM.Monitor- Monitor VM statusVM.PowerMgmt- Start/stop VMsDatastore.Allocate- Use storageSDN.Use- Use network bridges
If you see authentication errors:
-
Check token exists:
ssh root@PROXMOX_IP 'pveum user token list your-username@pam' -
Verify token is enabled:
- In Proxmox web UI, check the token isn't disabled
-
Check permissions:
ssh root@PROXMOX_IP 'pveum user permissions your-username@pam' -
Test token manually:
curl -k -H "Authorization: PVEAPIToken=your-username@pam!your-token=your-token-secret" \ "https://YOUR_PROXMOX_IP:8006/api2/json/version"
If API token fails, the provider will automatically fall back to password authentication:
# Check if password auth works
curl -k -d "username=your-username@pam&password=your-password!" \
"https://YOUR_PROXMOX_IP:8006/api2/json/access/ticket"- Token Expired: Tokens don't expire by default, but check if it was manually disabled
- Insufficient Permissions: Ensure token has Administrator role or required permissions
- Privilege Separation: If enabled, token inherits user permissions (may be limited)
- Network Issues: Ensure Proxmox API is accessible on port 8006
- Use API Tokens: Prefer tokens over passwords for automation
- Minimal Permissions: Create tokens with only required permissions
- Regular Rotation: Rotate tokens periodically for security
- Secure Storage: Store token secrets securely (not in version control)
- Monitor Usage: Check Proxmox logs for token usage
API token authentication provides secure and reliable access to your Proxmox infrastructure! 🔐