Unable to use a limited api key successfully

raincity · November 24, 2025, 7:00am

Hi!

I’m trying to hook up homepage dashboard to TrueNas 25.04.2.6 and wanted to use a least privilege api key for this. The dashboard uses the following bits from the API, from what I think is the proper roles needed:

`/api/v2.0/system/info`	`READONLY_ADMIN`
`/api/v2.0/pool`	`POOL_READ`
`/api/v2.0/pool/dataset`	`DATASET_READ`
`/api/v2.0/alert/list`	`ALERT_LIST_READ`

I’ve created a group and a user and a new API key. If I edit the group and put it in Local Administrators, everything works. If I put it in Readonly Administrators, all api endpoints above give 403’s. If I create a new privilege, and put the above 4 roles into it, and assign the group to that role, I still get 403’s.

I believe the new role based access is marked experimental in 25.04, but should this work? Am I missing something? Any help or guidance would be greatly appreciated!

Thanks!

conan · December 3, 2025, 5:15pm

I’ve got the same problem. It’s a pity that the role exists, but only the full admin users work..

awalkerix · December 3, 2025, 8:18pm

Does it work using the websocket API or is this a REST only issue?

github.com/truenas/api_client

examples/create_smb_time_machine_share.py

f98550957


      
          from truenas_api_client import Client
          
          DS_NAME = "dozer/test_smb_share"
          SHARE_NAME = "SHARE"
          API_USERNAME = "api_user"
          API_KEY = "some api key"
          
          
          with Client("wss://example.internal/api/current") as c:
              # Authenticate using some pre-existing API key
              resp = c.call("auth.login_ex", {
                  "mechanism": "API_KEY_PLAIN",
                  "username": API_USERNAME,
                  "api_key": API_KEY
              })
              assert resp["response_type"] == "SUCCESS"
          
              # Check whether we've been configured as an OSX server
              smb_config = c.call("smb.config")

^^^ sample of using API key in python script using our python API client.

raincity · December 4, 2025, 4:18am

Yes, looks like websockets api works fine, just the REST api:

alex@arch $ curl -s -D -H “Authorization: Bearer MY_API_KEY” -H “Content-Type: application/json” -k https://myserver/api/v2.0/pool/dataset
401: Unauthorized(tmp) 
alex@arch $ python websocket_api.py -H truenas -K MY_API_KEY --type datasets
Connected to truenas!

Datasets Information:

* Pool Name: pool0
* Dataset Name: pool0/backup
 ..

Dataset information saved to 2025-12-03_truenas_datasets.csv
alex@arch \~/src/websocket-nas-api $

The permissions for the API key currently has Readonly Admin, Alert List Read, Dataset Read and Pool Read. If I change that to Full Admin, the Rest API works as normal.

awalkerix · December 4, 2025, 12:50pm

The RBAC was designed for websocket sessions and the decision was made to not tie it into the REST framework since it was on its way out.

raincity · December 4, 2025, 5:15pm

Gotcha, thanks!