Automation user

Anders · March 24, 2025, 1:03pm

Hi,
It seems in 2.4 (perhaps earlier as well) the automation user is no longer created. I’ve used its secret in Ansible to use the Rest API to perform configuration.

Are there any options to create a user with API permissions? cmkadmin is not an API user and I guess agent_registration cant use all functions of the rest api?

Found this Werk as well Werk #17344: No default storing of automation user secret

aeckstein · March 24, 2025, 1:17pm

Hi Anders,

can´t you create a user with the role administrator and an automation secret ?

Anders · March 24, 2025, 1:45pm

can I do that from shell? The site is being setup with Ansible to using the GUI is not possible.
I’m. just thinking of creating it manually by creating a folder in the web folder with an .secret but does not feel so future proof

I also looked at the Checkmk Ansible and it seems it also relies on automation_secret that is no longer available in 2.4

aeckstein · March 24, 2025, 2:17pm

Maybe you can use the cmkadmin with a passwort with ansible and and then create the automation account via the ansible user role.

Anders · March 24, 2025, 2:50pm

That role uses the RestAPI and /domain-types/user_config/collections/all" and needs the secret for the automation user, so catch-22

I ended up doing what I wrote in my previous post, just rsync some files from Ansible files from an existing automation user in another site and that seems to work fine. Minimal effort.

I guess I could do some fancy HTTP POST to the web ui, using the cmkadmin user but seems complicated.

I hope Checkmk will add the possibility to create an API user using the cmk command or something else

Anders · March 25, 2025, 2:42pm

actually that didn’t work. The user does not show up in the GUI

Maximilian · March 26, 2025, 8:08am

Hi,

you can use a normal User on the RestAPI as well.

$ curl -X 'POST' 'http://localhost/beta/check_mk/api/1.0/domain-types/user_config/collections/all'   -H 'accept: application/json'   -H 'Content-Type: application/json' -u cmkadmin:cmk   -d '{
  "username": "ansible",
  "fullname": "User for ansible",
  "auth_option": {
    "auth_type": "automation",
    "secret": "veryverysecret"
  },
  "roles": [
    "admin"
  ]
}'

Should create an automation user, at least it does on my machine

robin.gierse · March 26, 2025, 8:32am

I’ll look into this from a collection perspective. We are almost done finalizing 2.4.0 support, but I did not actively consider this use case. I’ll get back to y’all.

andreas-doehler · March 26, 2025, 9:04am

automation_secret is only available if you explicitly select that it is stored in clear text inside 2.4.

Anders · March 26, 2025, 5:17pm

It seems perhaps I can do

       "auth_option": {
          "auth_type": "automation",
          "store_automation_secret": true
        },
        "inter

using the “user_config” that @Maximilian suggested - didnt know you could use the rest api with a user + pass so will try this. Maybe that can help you @robin.gierse as well?

Anders · March 27, 2025, 8:30am

If anyone would be interested this seems to have worked fine

# Create automation user

  - name: Create user "automation"
    uri:
      url: "https://{{ api_url }}/{{ api_check_mk_site }}/check_mk/api/v1.0/domain-types/user_config/collections/all"
      validate_certs: no
      method: POST
      body_format: json
      status_code: [200, 202]
      return_content: true
      follow_redirects: all
      user: "cmkadmin"
      password: "{{ cmkadminpwd }}"
      force_basic_auth: yes  # Ensures Basic Auth is used
      headers:
          Content-Type: "application/json"
          Accept: "application/json"
      body:
        fullname: "Automation Ansible User"
        username: "ans_automation"
        disable_login: false
        roles:
        - admin
        auth_option:
          auth_type: automation
          store_automation_secret: true
          secret: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"