Showing results for 
Search instead for 
Did you mean: 

ACI Automation Part 1 - ACI with Postman Introduction



I. Introduction


This article is a simple introduction on how to use automation in ACI.


In this article we’ll discuss on DN and Class name in ACI. As well as Postman, on how to login to ACI using Postman and creating a simple tenant.


II. Postman


1. What is Postman?


Postman is third party REST API tool. This can be used to create and retrieve object information in ACI. 


2. To download Postman



III. Distinguish Name and Managed Object


In ACI the components are represented in a management information tree (MIT). Each node in this MIT is a managed object (MO). MOs are identified by their unique distinguished name (DN). This DN provides the fully qualified path from the root of the object tree to the object itself.


DN is made up of a series of pieces known as relative names (RN).


dn = {rn}/{rn}/{rn}/{rn}…


The APIC REST API is a programmatic interface to the APIC. Here, you can use any programming language to generate REST calls, which contain JSON or XML formatted data to read and write objects in the APIC MIT.


IV. Logging to ACI with Postman


1. Define Your Variables


Click on Settings > Manage Environments





Click Add


Change the value of the apic, username and password accordingly.


2. Create Collections


On the top left hand side of your postman you can click either one of these button to create a new collections.



You can name it accordingly (e.g. Add Tenant) and click Create


3. Create New Request To Login To APIC


On the right hand side of the Postman, you can create a new request.

Inside the new request, you can fill in the following to login to APIC:


POST    https://{{apic}}/api/aaaLogin.json



{ "aaaUser" : { "attributes": {"name":"{{username}}","pwd":"{{password}}" } } } 


As you see here, the {{apic}} {{username}} {{password}} here is your variable where you define in earlier step IV.1. It contains the value of whichever Fabric you’re currently in. The variable have to be inside the double curly braces {{ }}.  


Click Send.



Once Send, you can see the response at the bottom of the Postman that shows you the token generated.


Click Save, this is next to your send button. This is to Save the request to your Collection folder that you created earlier.


V. Creating Simple Tenant


1. Create New Request For Creating Tenant


Below example will create the new tenant with the name "tenant-1"


POST   https://{{apic}}/api/node/mo/uni/tn-tenant-1.json






Click Send.


Make sure that this request is run after you logged in (Step 4). If this request is run without login, you'll find the authentication error.


Save the request to the collection folder.


2. Result

In your APIC ALL TENANTS, you'll find tenant-1 has been created.





Thanks. How do I get around this?

{"totalCount":"1","imdata":[{"error":{"attributes":{"code":"403","text":"Token was invalid (Error: Token timeout)"}}}]}

This is right after I post for an APIC login and get a successful login (Status 200 OK)


Thank you!




I have the same issue where it complains....


"totalCount": "1",
"imdata": [
"error": {
"attributes": {
"code": "403",
"text": "Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie APIC-Request-Signature for all REST API requests"


Any ideas?


I know the problem has something to do with not being logged in.


Can the login script be combined with the create tenant script?  How do you do that?


Cisco Employee



You need to login first so that you have a valid token for your subsequent requests. In the response of login script you would see token and refresh timeout (by default 600 seconds). If the session is established and remains idle for 600 seconds, then you may have to post the login script again.



 <aaaLogin token="hUUaqAhmcuq56GPdvPDB76hjHxgkdNli1BcixXCFTxXiQaUrIT5zWbqWhRHcoVKwGPejFKa4U3f9LRyiPSL6fJbMDGWsWUpmz0wilYbtO1OHk+ClcOrZUnh4SzsfilAWWGa0tvxtBK/EtsEmU2+6Iz6iBwXBElCyhA913GYT1SVnoIpuz1G87rHHGX9kiLQl" siteFingerprint="B/A83Gry7cx9r2vb" refreshTimeoutSeconds="600"



There are two ways to do it,

1. Either post the login script first (separately) and then post your subsequent scripts.

2. Save your  sequential list of scripts in a collection and place the login script at the top. With this you can run multiple sequential script with one go, eg. creating filter, contracts and attaching it to the EPG with one collection runner consisting of multiple jobs.


In the above snapshot, ACI-API is the collection, which contains folder name Fabric and in that folder there are sequential scripts.








Why didn't you have to use the token for the next post request?


I read in ACI documentation that once you get the auth token from the login request, then you should use it in next requests.


If I create a script in python to make both requests, do I have to send the token in the second request as an Authorization request header? Something like:

Authorization : Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiw...


Thank you!

Cisco Employee

Hi Fonsies,

In postman, it maintains the session like browser. So when we post login payload, a session is created which lasts for 600seconds(default token refresh timeout). So any subsequent requests are allowed bydefault since they are part of the same session.


In case of firing APIs with python, to avoid overhead of sending token through header of subsequent request, you should use request.session() function from requests lib.





Very useful ... Thank you


Very useful...


I am a beginner and the doc has helped me a lot in understanding the overall automation concept for ACI and DN, MOs.


Content for Community-Ad