VMware Cloud services supports server to server apps that you can use to automate management of Operations for Applications objects, such as dashboards, alerts, etc. A server to server app can’t perform the UI operations that all user accounts can perform by default.
You can also use a server to server app for a Wavefront proxy authentication. For example, see our Windows Host Integration Tutorial, which includes installing a Wavefront proxy with server to server OAuth app credentials.
What Are Server to Server Apps?
Server to server apps are used for automating management tasks.
- A server to server app uses OAuth 2.0 client credentials to get a VMware Cloud services access token and authenticate.
A server to server app can be assigned with organization roles, service roles, and custom roles.Note: You must explicitly grant each server to server app only the role with the permission required for the task that’s being automated (least required privilege). Doing so, you ensure that permissions for server to server app are always very limited.
- A server to server app can be used in multiple organizations. The owner of a server to server app is the organization in which it was created.
How Server to Server Apps Work
If you build an application or tool that manages proxies or ingests data, then that tool must authenticate to the Operations for Applications REST API with a VMware Cloud services access token. Here’s how it works:
- Create a server to server app in VMware Cloud services. See How to use OAuth 2.0 for server to server apps in the VMware Cloud services documentation.
Assign the server to server app with one or more Operations for Applications service roles for the service instance.Important: Ensure that you assign the server to server app only with the roles and permissions that are needed. Do not assign all roles listed in the VMware Cloud Services Console.
For example, to use a server to server app only for setting up the Operations for Applications integrations, assign only the Proxies service role to the app.
If you plan to assign the server to server app a custom role, you must assign that server to server app at least one Operations for Applications service role, for example Viewer.
Important: In a multi-tenant Operations for Applications environment, custom roles apply to all service instances (tenants) to which the server to server app has access, that is, for which the server to server app has at least one service role.
- Obtain the OAuth 2.0 client credentials of the server to server app and save them to a secure place.
- Add the app to your VMware Cloud organization running the Operations for Applications service.
Configure your tool to pass the OAuth 2.0 client credentials to the REST API and exchange them to an access token. See Make API Calls by Using a Server to Server App.
The access token is directly issued to your tool and it authenticates seamlessly to the API.
After you create a server to server app, you can change its roles, share it with other VMware Cloud organizations, and delete it when no longer need it.