PROX001 - Proxmox Authorization Failed
Agent error code #PROX001 indicates that the Proxmox API authenticated the token successfully but rejected the requested action with HTTP 403 (Forbidden). The token lacks the privileges needed to read or modify the configured firewall ipset.
This error is distinct from authentication failures (#PROX000), which mean the token identifier or secret itself was rejected.
Common causes include:
- The token user has no permission entry covering the firewall path the agent is acting on
- Privilege Separation is enabled on the token but no permission entry was added directly against the token
- The wrong scope is configured in the Knoc (cluster vs per-VM) so the agent is hitting a path the user can't reach
- The role assigned to the user lacks
Sys.AuditandSys.Modifyon the firewall path
Steps to Resolve
Add a Permission Entry on Proxmox
- Log into the Proxmox web UI as an administrator
- Navigate to Datacenter > Permissions and click Add > User Permission
- Set Path to one of:
/or/clusterfor cluster-scoped ipsets/vms/<vmid>for per-VM ipsets (or a pool that contains the VM)
- Set User to the service account the token belongs to
- Set Role to
PVEFirewallAdmin(built-in) or a custom role with at leastSys.AuditandSys.Modify - Tick Propagate
Handle Privilege Separation
If the token was created with Privilege Separation ticked, the user's permissions are not enough on their own:
Confirm the Scope in Knocknoc
- Edit the affected Knoc in the Knocknoc admin interface
- Confirm the Scope matches the path the token has access to
- For per-VM scope, confirm the Proxmox node and VM ID point at a VM the user can edit
Still Having Issues?
We can help you out, contact us at [email protected].