When you try to generate a new API Key for an API-user in FortiGate using the API REST, you may encounter a 403 error
{
"http_method": "POST",
"status": "error",
"http_status": 403,
"vdom": "root",
"path": "system",
"name": "api-user",
"action": "generate-key",
"serial": "FGTXXXXXXXXXXXXXX",
"version": "v7.2.4",
"build": 1396
}
This error occurs when the user making the API call does not have the necessary permissions. When creating an API user through the Fortigate GUI, you cannot assign the super_admin profile as it is not visible in the select list. The only way to assign this profile is through the CLI.
The problem has been discussed in this forum post: community.fortinet.com/t5/Support-Forum/API-request-of-new-token/m-p/242109#M205093. However, here is a more detailed procedure.
Solution : set the accprofile “super_admin” on the API-user account
How to set the super_admin profile on the API-user via the CLI on FortiGate ?
Connect to the fortigate, open the CLI and run the following commands :
-
config system api-user
-
edit "<the_api_rest_user_to_modify>"
-
set accprofile "super_admin"
-
end
-
now you can make API request to generate api-key with that user.
- Example request on Fortigate v7.2.4 : POST
https:/**/{{ADDRESS}}**/api/v2/monitor/system/api-user/generate-key?api-user=**{{API_REST_ADMIN_USERNAME}}**&vdom=root
- Example request on Fortigate v7.2.4 : POST
-
If you run
show
command, you should see something similar to this.Example with API-USER "rest_api_admin" :
config system api-user
edit "rest_api_admin"
set api-key ENC SH2FG4KXXXXXXXXXXXXXXXXXXXXXXXXX
set accprofile "super_admin"
set vdom "root"
next
end