Setting Up a vSphere Service Account for Pivotal BOSH Director using PowerCLI

BOSH Director requires a fairly powerful vCenter service account to do all of the things it does.

The list of permissions required is here, and it’s extensive.

You can always take the shortcut and make your account an Administrator of the vSphere environment, but that violates the whole “least privilege” principle and I don’t like that in production environments.

I wrote a working PowerCLI code function that will automatically create this vCenter role and add the specified user/group to it.

It greatly reduces the time to set this up.  Hope this helps someone out.

function Add-BoshVCenterAccount()
{
<#
.SYNOPSIS
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.
.DESCRIPTION
This function creates a new vSphere role called PKS Administrators if it does not exist already. It then assigns the specified local or domain user/group to the role at the root vCenter server object.
.PARAMETER Group
Specifies the Group to assign the role to.
.PARAMETER User
Specifies the User to assign the role to.
.PARAMETER Domain
If specified, then the User or Group specified is assumed to be a domain object. Specify the AD Domain the user/group is a member of.
.OUTPUTS
[VMware.VimAutomation.ViCore.Impl.V1.PermissionManagement.PermissionImpl]
The resultant permission.
.LINK
https://docs.pivotal.io/pivotalcf/2-0/customizing/vsphere-service-account.html
.EXAMPLE
Connect-ViServer -Server myvcenter.domain.com
Add-BoshVCenterAccount -Domain mydomain -User user1
#>
[CmdletBinding(SupportsShouldProcess,DefaultParameterSetName="user")]
param
(
[Parameter(Mandatory,ParameterSetName="user")]
[string] $User,
[Parameter(Mandatory,ParameterSetName="group")]
[string] $Group,
[string] $Domain
)
$version = $Null
if ( (Get-Variable | Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer )
{
$version = $defaultViServer.Version
}
else
{
throw ("Use Connect-ViSever first!")
}
# Permissions for 6.5+:
$privileges = @( `
"Manage custom attributes",
"Allocate space",
"Browse datastore",
"Low level file operations",
"Remove file",
"Update virtual machine files",
"Delete folder",
"Create folder",
"Move folder",
"Rename folder",
"Set custom attribute",
"Modify cluster",
"CreateTag",
"EditTag",
"DeleteTag",
"Assign network",
"Assign virtual machine to resource pool",
"Migrate powered off virtual machine",
"Migrate powered on virtual machine",
"Add existing disk",
"Add new disk",
"Add or remove device",
"Advanced",
"Change CPU count",
"Change resource",
"Configure managedBy",
"Disk change tracking",
"Disk lease",
"Display connection settings",
"Extend virtual disk",
"Memory",
"Modify device settings",
"Raw device",
"Reload from path",
"Remove disk",
"Rename",
"Reset guest information",
"Set annotation",
"Settings",
"Swapfile placement",
"Unlock virtual machine",
"Guest Operation Program Execution",
"Guest Operation Modifications",
"Guest Operation Queries",
"Answer question",
"Configure CD media",
"Console interaction",
"Defragment all disks",
"Device connection",
"Guest operating system management by VIX API",
"Power Off",
"Power On",
"Reset",
"Suspend",
"VMware Tools install",
"Create from existing",
"Create new",
"Move",
"Register",
"Remove",
"Unregister",
"Allow disk access",
"Allow read-only disk access",
"Allow virtual machine download",
"Allow virtual machine files upload",
"Clone template",
"Clone virtual machine",
"Customize",
"Deploy template",
"Mark as template",
"Mark as virtual machine",
"Modify customization specification",
"Promote disks",
"Read customization specifications",
"Create snapshot",
"Remove Snapshot",
"Rename Snapshot",
"Revert to snapshot",
"Import",
"vApp application configuration"
)
if ( $version -ilike "6.0*" )
{
# Version 6.0 permissions:
$privileges = $privileges | Where-Object { $_ -inotmatch '^(Create|Edit|Delete)Tag$' }
$privileges += "Create Inventory Service Tag"
$privileges += "Edit Inventory Service Tag"
$privileges += "Delete Inventory Service Tag"
}
$role = Get-ViRole | Where-Object { $_.Name -ieq "PKS Administrators" }
if ( !$role )
{
$role = New-VIRole Name "PKS Administrators" Privilege $privileges
}
$principalParam = @{}
$idFieldName = "Name"
if ( $Domain )
{
$principalParam.Add("Domain", $Domain)
$idFieldName = "Id"
}
if ( $PSCmdlet.ParameterSetName -ieq "user" )
{
$principalParam.Add($idFieldName, $User)
$principalParam.Add("User", $true)
}
else
{
$principalParam.Add($idFieldName, $Group)
$principalParam.Add("Group", $true)
}
$principal = Get-VIAccount @principalParam
if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") )
{
New-VIPermission Entity "Datacenters" Principal $principal Role $role
}
}

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s