Save Proxmox API user permissions from old host

2026-03-31 16:49:28 +00:00 · 2026-03-31 16:49:28 +00:00 · 7e75b64e91
commit 7e75b64e91
parent 4fad12c8bc
1 changed files with 34 additions and 0 deletions
--- a/SCRATCH/proxmox-api-permissions.md
+++ b/SCRATCH/proxmox-api-permissions.md
@ -0,0 +1,34 @@
+# Proxmox API User Config — from old host (zlh-prod1)
+
+## Source of truth
+Copied from `/etc/pve/user.cfg` on old Denver host Mar 31 2026.
+
+## Users needed
+- `apiuser@pve` — main API user for container provisioning
+- `ansible@pve` — automation user (recreate if needed)
+
+## Roles needed
+```
+ZLH-API: Datastore.AllocateSpace, Datastore.Audit, SDN.Allocate, SDN.Audit, SDN.Use, Sys.Audit, Sys.Modify, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt
+
+ZLH-API-CT: Datastore.AllocateSpace, Datastore.Audit, SDN.Use, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CPU, VM.Config.Disk, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.PowerMgmt
+```
+
+## ACLs needed for apiuser
+```
+/nodes/zlh1         apiuser@pve         ZLH-API
+/nodes/zlh1         apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
+/storage/zlh-thin   apiuser@pve         ZLH-API
+/storage/zlh-thin   apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
+/vms                apiuser@pve         ZLH-API
+/vms                apiuser@pve!zlh-api ZLH-API, ZLH-API-CT
+/sdn                apiuser@pve         ZLH-API
+/sdn                apiuser@pve!zlh-api ZLH-API
+```
+
+## Notes
+- Node name on new host is `zlh1` — replace `zlh-prod1` references
+- `zlh-thin` storage needs to exist on new host for ACLs to apply
+- SDN ACLs reference vmbr1/vmbr2/vmbr3 — verify these exist on new host
+- Token name: `apiuser@pve!zlh-api` — generate new secret, update .env on zpac-api
+- ansible@pve not critical for platform — skip unless needed