InsightVM Cloud API: "Access to this resource is not allowed"

I am attempting to get a list of assets using the InsightVM Cloud api. I have generated an API key and authenticated successfully. When I use the InsightVM web interface, I am able to retrieve the asset list; however, when I connect via the API, I receive an error 401: Access to this resource is not allowed. Are there additional permissions I need to have configured for my account in order to access the assets via api? (I receive the same error when attempting to retrieve vulnerabilities, as well.)

I am using this endpoint: https://us.api.insight.rapid7.com:443/vm/v4/integration/assets

There’s a couple different things to check but the first thing may be that you are querying against us instead of us2 or us3 depending on where you’re hosted. Log into InsightVM and look at the URL bar and see what your URL says. (Or check the Platform account)

Mine for example is hosted in us2:
Screen Shot 2022-08-01 at 10.58.45 AM

If you’re also hosted in us2 or us3 just change the URL endpoint in your request.

Thanks, John.

Here’s the URL when I log into InsightVM:
Rapid7 Exposure Analytics

We’re hosted in the US, but the region does not appear in the URL. I tried us, us2, and us3 - all with the same resulting 401 error.

(UPDATE - I just confirmed we’re in region United States - 1)

When you go to “My Account” on the platform home page does your account just say “United States - 1”?

Screen Shot 2022-08-01 at 11.11.10 AM

Also, what are you using to build your request? Are you just using Python or something similar or are you using an app like Postman?

Yes, sorry - I just confirmed it is United States - 1.

I am using Postman to build the request.

Also, I do receive results using the scan endpoint (https://us.api.insight.rapid7.com/vm/v4/integration/scan) - it returns the id, status, started, and finished values for scans.

alright, so 401 is saying there’s something wrong with the Authentication. Double check your x-api-key in Postman. I would suggest setting it at the Collection level and not at the request level. Let each request in the collection Inherit from Parent.

API key is entered correctly. I set it at the Collection level and received the same result. I wouldn’t think it could be an issue with the key itself, since I do receive results when querying scans.

Success: https://us.api.insight.rapid7.com/vm/v4/integration/scan

401 Error: https://us.api.insight.rapid7.com/vm/v4/integration/assets
401 Error: https://us.api.insight.rapid7.com/vm/v4/integration/sites

500 Error: https://us.api.insight.rapid7.com/vm/v4/integration/vulnerabilities

Did you create it as a user key or as an org key?

It’s a user key. From what I understand, that key should inherit all the permissions of my user account, right?

That is correct, if you are a platform admin i would try generating an org key though and using that in the request instead to see what results you get.

If the org key doesnt work either then its possible that something in Postman is wrong.

The org key works. Not sure why the user key doesn’t, but that’s a problem for another day. Thanks for your help on this.

Yea absolutely! I assume something funky was going on in Postman on how it was presenting the authentication or something.

Out of curiosity I even tried the same endpoint with both a User and Org API key and both requests worked. My User profile is full Admin though. If your profile is anything different that may have been the issue as well?