Skip to main content

PROX001 - Proxmox Authorization Failed

Agent error code #PROX001 indicates that the Proxmox API authenticated the token successfully but rejected the requested action with HTTP 403 (Forbidden). The token lacks the privileges needed to read or modify the configured firewall ipset.

This error is distinct from authentication failures (#PROX000), which mean the token identifier or secret itself was rejected.

Common causes include:

  • The token user has no permission entry covering the firewall path the agent is acting on
  • Privilege Separation is enabled on the token but no permission entry was added directly against the token
  • The wrong scope is configured in the Knoc (cluster vs per-VM) so the agent is hitting a path the user can't reach
  • The role assigned to the user lacks Sys.Audit and Sys.Modify on the firewall path

Steps to Resolve

Add a Permission Entry on Proxmox

  1. Log into the Proxmox web UI as an administrator
  2. Navigate to Datacenter > Permissions and click Add > User Permission
  3. Set Path to one of:
    • / or /cluster for cluster-scoped ipsets
    • /vms/<vmid> for per-VM ipsets (or a pool that contains the VM)
  4. Set User to the service account the token belongs to
  5. Set Role to PVEFirewallAdmin (built-in) or a custom role with at least Sys.Audit and Sys.Modify
  6. Tick Propagate

Handle Privilege Separation

If the token was created with Privilege Separation ticked, the user's permissions are not enough on their own:

  1. Navigate to Datacenter > Permissions > API Tokens and confirm the Privilege Separation setting on the token
  2. If left ticked, repeat the steps above but pick the token (not the user) under User
  3. Alternatively, untick Privilege Separation on the token so it inherits the user's permissions directly

Confirm the Scope in Knocknoc

  1. Edit the affected Knoc in the Knocknoc admin interface
  2. Confirm the Scope matches the path the token has access to
  3. For per-VM scope, confirm the Proxmox node and VM ID point at a VM the user can edit

Still Having Issues?

We can help you out, contact us at [email protected].