Lately, I was developing an Extensibility Subscription workflow in Orchestrator, which queries the Aria Automation CMX REST API.
While it was perfectly running when being executed manually within Orchestrator, it fails when invoked from Aria Automation Service Broker as part of an Extensibility subscription (here Kubernetes Supervisor Namespace Post Provision).
The resulting error message was:

Catalog Item Deployment NS Test failed for Supervisor Namespace: Extensibility error for topic kubernetes.sv.namespace.provision.post: [10040] SubscriberID: vro-gateway-elsAsEMn7yjjbAGz, RunnableID: 587ed41a-a51b-4cdc-a10d-7c705a57db39 and SubscriptionID: sub_1695305241572 failed with the following error: Workflow run [fd626a0a-0386-4778-b2ad-8e7ffd5f5e9f] completed with error [Error in worker: HTTP error 500 - {"timestamp":"2023-08-20T16:26:45.991+0000","path":"/cmx/api/resources/supervisor-namespaces","status":500,"error":"Internal Server Error","message":"No orgId in token for vro-gateway-elsAsEMn7yjjbAGz","requestId":"f7763022-202212","@type":"java.lang.IllegalStateException"} (Dynamic Script Module name : executeRestCall#11) (Workflow:Kubernetes Supervisor Namespace Post Provision / Control WF (item4)#5)]

The default Aria Automation host authentication configuration for the session mode is “Per User Session”. This leverages the permissions of the account that calls the workflow for authorization in the REST call.

When an Orchestrator workflow is called from Service Broker, it is under the context of the vro-gateway-* user, instead of the requesting user account. This REST call does not have the necessary permissions to collect all information from Aria Automation.

To get this fixed, we can use the following workaround (as proposed in VMware KB article 85240):

  1. Run the Add vRA Host workflow to create a new and separate connection to the desired Aria Automation host
  2. Set the connection value for Shared Session.
  3. Provide the credentials for the account that has the permissions required to view the desired content from Aria Automation.
  4. Use this new vRA:Host object that was added to inventory in your workflows that will be called from the Service Broker catalog.