vSphere Service Account Requirements
Page last updated:
This topic describes the minimum privileges required by the vSphere BOSH CPI. A vSphere admin must grant the following privileges to the vSphere service account that Pivotal Cloud Foundry (PCF) uses to manage vSphere resources.
The PCF account needs privileges at both the vCenter server level and the Datacenter level. See Hierarchical Inheritance of Permissions in the VMware documentation for how permission levels and inheritance work in vSphere.
vCenter-Level Privileges
Ops Manager assigns custom attributes to the virtual machines (VMs) it deploys to identify BOSH releases and job index information about each VM. vCenter APIs require vCenter server level access to manage these custom attributes.
The following table summarizes the privileges that a PCF account requires at the vCenter Server instance level. Some of these privileges are inherited, and others must be granted by a vCenter admin:
| Object | Privilege (UI) | Privilege (API) |
| Role | Read-only | System.Anonymous |
| System.Read |
| System.View |
| Global | Manage custom attributes | Global.ManageCustomFields |
| Set custom attributes | Global.SetCustomField |
| Register extensions | Extension.Register |
| Profile-Driven Storage |
Profile-driven storage |
StorageProfile.Update |
|
StorageProfile.View |
Datacenter-Level Privileges
The following privileges must be set at the data center level:
| Object |
Privilege (UI) |
Privilege (API) |
| Datastore |
Low level file operations |
Datastore.FileManagement |
| Network |
Assign network |
Network.Assign |
Folder and Datastore-Level Privileges
You must grant the following privileges on any entities in a datacenter where you will deploy PCF:
Datastore Object
| Privilege (UI) | Privilege (API) |
| Allocate space | Datastore.AllocateSpace |
| Browse datastore | Datastore.Browse |
| Remove file | Datastore.DeleteFile |
| Update virtual machine files | Datastore.UpdateVirtualMachineFiles |
Folder Object
Ops Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Ops Manager applies changes.
| Privilege (UI) |
Privilege (API) |
| Create folder | Folder.Create |
| Delete folder |
Folder.Delete |
| Move folder | Folder.Move |
| Rename folder | Folder.Rename |
Host Object
| Privilege (UI) |
Privilege (API) |
| Change cluster properties |
Host.Inventory.EditCluster |
Inventory Service Object
| Privilege (UI) |
Privilege (API) |
| vSphere Tagging > Create vSphere Tag |
InventoryService.Tagging.CreateTag |
| vSphere Tagging > Delete vSphere Tag |
InventoryService.Tagging.EditTag |
| vSphere Tagging > Edit vSphere Tag |
InventoryService.Tagging.DeleteTag |
Resource Object
When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Ops Manager deploys the VM and powers it on.
| Privilege (UI) |
Privilege (API) |
| Assign virtual machine to resource pool | Resource.AssignVMToPool |
| Migrate powered off virtual machine | Resource.ColdMigrate |
| Migrate powered on virtual machine | Resource.HotMigrate |
Virtual Machine Object
Configuration
| Privilege (UI) |
Privilege (API) |
| Add existing disk | VirtualMachine.Config.AddExistingDisk |
| Add new disk | VirtualMachine.Config.AddNewDisk |
| Add or remove device | VirtualMachine.Config.AddRemoveDevice |
| Advanced | VirtualMachine.Config.AdvancedConfig |
| Change CPU count | VirtualMachine.Config.CPUCount |
| Change resource | VirtualMachine.Config.Resource |
| Configure managedBy | VirtualMachine.Config.ManagedBy |
| Disk change tracking | VirtualMachine.Config.ChangeTracking |
| Disk lease | VirtualMachine.Config.DiskLease |
| Display connection settings | VirtualMachine.Config.MksControl |
| Extend virtual disk | VirtualMachine.Config.DiskExtend |
| Memory | VirtualMachine.Config.Memory |
| Modify device settings | VirtualMachine.Config.EditDevice |
| Raw device | VirtualMachine.Config.RawDevice |
| Reload from path | VirtualMachine.Config.ReloadFromPath |
| Remove disk | VirtualMachine.Config.RemoveDisk |
| Rename | VirtualMachine.Config.Rename |
| Reset guest information | VirtualMachine.Config.ResetGuestInfo |
| Set annotation | VirtualMachine.Config.Annotation |
| Settings | VirtualMachine.Config.Settings |
| Swapfile placement | VirtualMachine.Config.SwapPlacement |
| Unlock virtual machine | VirtualMachine.Config.Unlock |
| Upgrade virtual machine hardware | VirtualMachine.Config.UpgradeVirtualHardware |
Guest Operations
| Privilege (UI) |
Privilege (API) |
| Guest Operation Program Execution | VirtualMachine.GuestOperations.Execute |
| Guest Operation Modifications | VirtualMachine.GuestOperations.Modify |
| Guest Operation Queries | VirtualMachine.GuestOperations.Query |
Interaction
| Privilege (UI) |
Privilege (API) |
| Answer question | VirtualMachine.Interact.AnswerQuestion |
| Configure CD media | VirtualMachine.Interact.SetCDMedia |
| Interact with VM’s mouse, keyboard, and screen | VirtualMachine.Interact.ConsoleInteract |
| Defragment operations on any VM disk | VirtualMachine.Interact.DefragmentAllDisks |
| Device connection | VirtualMachine.Interact.DeviceConnection |
| Guest operating system management by VIX API | VirtualMachine.Interact.GuestControl |
| Power off | VirtualMachine.Interact.PowerOff |
| Power on | VirtualMachine.Interact.PowerOn |
| Reset | VirtualMachine.Interact.Reset |
| Suspend | VirtualMachine.Interact.Suspend |
| VMware Tools install | VirtualMachine.Interact.ToolsInstall |
Inventory
| Privilege (UI) |
Privilege (API) |
| Create new VM from existing | VirtualMachine.Inventory.CreateFromExisting |
| Create new VM | VirtualMachine.Inventory.Create |
| Move | VirtualMachine.Inventory.Move |
| Add a VM to a vCenter Server or host inventory | VirtualMachine.Inventory.Register |
| Remove a VM | VirtualMachine.Inventory.Delete |
| Unregister a VM from a vCenter Server or host inventory | VirtualMachine.Inventory.Unregister |
Provisioning
When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.
The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.
| Privilege (UI) |
Privilege (API) |
| Allow disk access | VirtualMachine.Provisioning.DiskRandomAccess |
| Allow read-only disk access | VirtualMachine.Provisioning.DiskRandomRead |
| Allow virtual machine download | VirtualMachine.Provisioning.GetVmFiles |
| Allow virtual machine files upload | VirtualMachine.Provisioning.PutVmFiles |
| Clone template | VirtualMachine.Provisioning.CloneTemplate |
| Clone virtual machine | VirtualMachine.Provisioning.Clone |
| Customize | VirtualMachine.Provisioning.Customize |
| Deploy template | VirtualMachine.Provisioning.DeployTemplate |
| Mark as template | VirtualMachine.Provisioning.MarkAsTemplate |
| Mark as virtual machine | VirtualMachine.Provisioning.MarkAsVM |
| Modify customization specification | VirtualMachine.Provisioning.ModifyCustSpecs |
| Promote disks | VirtualMachine.Provisioning.PromoteDisks |
| Read customization specifications | VirtualMachine.Provisioning.ReadCustSpecs |
Snapshot Management
Before Ops Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.
| Privilege (UI) |
Privilege (API) |
| Create snapshot | VirtualMachine.State.CreateSnapshot |
| Remove snapshot | VirtualMachine.State.RemoveSnapshot |
| Rename snapshot | VirtualMachine.State.RenameSnapshot |
| Revert snapshot | VirtualMachine.State.RevertToSnapshot |
vApp Object
These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.
| Privilege (UI) | Privilege (API) |
| Import | VApp.Import |
| vApp application configuration | VApp.ApplicationConfig |
