REST API calls are rejected with a "Code 7 - Unauthorized" error message

• API Key was successfully generated for an administrator of the PAN-OS device.

curl -k -H "Content-Type: application/x-www-form-urlencoded" -X POST https://firewall/api/?type=keygen -d 'user=<user>&password=<password>'
<response status = 'success'><result><key>LUFRPT1VRnFBdUJTUlYzZnhoU3FVRUt4dDR3NUxxYm8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXZRT2JWQW9KWnNGdllYeXFKTTNRNnB6em1RNXR1TE9uSFVmKw==</key></result></response>

• The syntax of the REST API request is correct:

curl -X GET 'https://firewall/restapi/v10.2/Objects/Addresses?location=vsys&vsys=vsys1' -H 'X-PAN-KEY: LUFRPT1VRnFBdUJTUlYzZnhoU3FVRUt4dDR3NUxxYm8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXZRT2JWQW9KWnNGdllYeXFKTTNRNnB6em1RNXR1TE9uSFVmKw==' -k

• REST API response is "Code 7 - Unauthorized":

{"code":7,"message":"Unauthorized","details":[{"@type":"CauseInfo","causes":[{"code":5,"module":"panui_auth","description":"Unauthorized"}]}]}

• The log in the PAN-OS device shows a 403 response:

> tail webserver-log restapi_metrics.log
dd/mmm/yyyy:hh:mm:ss +0100 ::ffff:X.X.X.X GET /restapi/v10.2/Objects/Addresses location=vsys&vsys=vsys1 403 0.368 278 576

• The issue is not seen with XML API calls:

curl -H "X-PAN-KEY: LUFRPT1VRnFBdUJTUlYzZnhoU3FVRUt4dDR3NUxxYm8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXZRT2JWQW9KWnNGdllYeXFKTTNRNnB6em1RNXR1TE9uSFVmKw==" -k 'https://firewall/api/?type=op&cmd=<show><system><info></info></system></show>'
<response status="success"><result><system><hostname>XXXXXX</hostname><ip-address>x.x.x.x</ip-address>...

• Palo Alto Firewall or Panorama
• PAN-OS version 9.2 and later
• REST API

• As per the list of REST API error codes: "Error Code 7: Forbidden. The caller does not have permission to execute the specified operation." 
• The API key was generated for a specific administrator with a particular admin role. This admin role lacks permissions for REST API.

1. Go to Device/Panorama > Admin Roles
2. Select the admin role profile assigned to the user for which the API key was generated.
3. Go to REST API tab.
4. Enable the corresponding permissions.
5. Click OK.
6. Commit.

• The same issue can be seen with XML API calls, but the response message is more descriptive:
• In this case the permissions have to be enabled under the XML API tab of the admin role.
• XML API and REST API permissions are configured in different tabs of the admin roles, that's why sometimes just one of them is failing while the other is working fine.

<response status = 'error' code = '403'><result><msg>Type [op] not authorized for user role.</msg></result></response>