vSphere Service Account Requirements

Page last updated:

This topic describes the minimum privileges required by the vSphere BOSH CPI. You must grant the following privileges to your vSphere service account to deploy Pivotal Cloud Foundry (PCF).

vCenter Root Privileges

Ops Manager assigns custom attributes to the VMs it deploys to identify BOSH releases and job index information on each VM. vCenter APIs require root access to manage these custom attributes.

You must grant the following privileges on the root vCenter server entity to the service account:

Privilege (UI)Privilege (API)
Read-onlySystem.Anonymous
System.Read
System.View
Manage custom attributesGlobal.ManageCustomFields

vCenter Datacenter Privileges

You must grant the following privileges on any datacenter entities where you will deploy PCF:

Role Object

Privilege (UI)Privilege (API)
Users inherit the Read-Only role from the vCenter root levelSystem.Anonymous
System.Read
System.View

Datastore Object

The following privileges must be set at the datacenter level to upload and delete virtual machine files.

Privilege (UI)Privilege (API)
Allocate spaceDatastore.AllocateSpace
Browse datastoreDatastore.Browse
Low level file operationsDatastore.FileManagement
Remove fileDatastore.DeleteFile
Update virtual machine filesDatastore.UpdateVirtualMachineFiles

Folder Object

Ops Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Ops Manager applies changes.

Privilege (UI) Privilege (API)
Delete folder Folder.Delete
Create folderFolder.Create
Move folderFolder.Move
Rename folderFolder.Rename

Global Object

Privilege (UI)Privilege (API)
Set custom attributeGlobal.SetCustomField

Host Object

This setting allows BOSH to manage rules for Distributed Resource Scheduler (DRS) and VM affinity. BOSH requires this setting, but Ops Manager does not use this feature. See the BOSH documentation for more information.

Privilege (UI) Privilege (API)
Modify clusterHost.Inventory.EditCluster

Network Object

Privilege (UI)Privilege (API)
Assign networkNetwork.Assign

Resource Object

When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Ops Manager deploys the VM and powers it on.

Privilege (UI) Privilege (API)
Assign virtual machine to resource poolResource.AssignVMToPool
Migrate powered off virtual machineResource.ColdMigrate
Migrate powered on virtual machineResource.HotMigrate

Virtual Machine Object

Configuration

Privilege (UI) Privilege (API)
Add existing diskVirtualMachine.Config.AddExistingDisk
Add new diskVirtualMachine.Config.AddNewDisk
Add or remove deviceVirtualMachine.Config.AddRemoveDevice
AdvancedVirtualMachine.Config.AdvancedConfig
Change CPU countVirtualMachine.Config.CPUCount
Change resourceVirtualMachine.Config.Resource
Configure managedByVirtualMachine.Config.ManagedBy
Disk change trackingVirtualMachine.Config.ChangeTracking
Disk leaseVirtualMachine.Config.DiskLease
Display connection settingsVirtualMachine.Config.MksControl
Extend virtual diskVirtualMachine.Config.DiskExtend
MemoryVirtualMachine.Config.Memory
Modify device settingsVirtualMachine.Config.EditDevice
Raw deviceVirtualMachine.Config.RawDevice
Reload from pathVirtualMachine.Config.ReloadFromPath
Remove diskVirtualMachine.Config.RemoveDisk
RenameVirtualMachine.Config.Rename
Reset guest informationVirtualMachine.Config.ResetGuestInfo
Set annotationVirtualMachine.Config.Annotation
SettingsVirtualMachine.Config.Settings
Swapfile placementVirtualMachine.Config.SwapPlacement
Unlock virtual machineVirtualMachine.Config.Unlock

Guest Operations

Privilege (UI) Privilege (API)
Guest Operation Program ExecutionVirtualMachine.GuestOperations.Execute
Guest Operation ModificationsVirtualMachine.GuestOperations.Modify
Guest Operation QueriesVirtualMachine.GuestOperations.Query

Interaction

Privilege (UI) Privilege (API)
Answer questionVirtualMachine.Interact.AnswerQuestion
Configure CD mediaVirtualMachine.Interact.SetCDMedia
Console interactionVirtualMachine.Interact.ConsoleInteract
Defragment all disksVirtualMachine.Interact.DefragmentAllDisks
Device connectionVirtualMachine.Interact.DeviceConnection
Guest operating system management by VIX APIVirtualMachine.Interact.GuestControl
Power offVirtualMachine.Interact.PowerOff
Power onVirtualMachine.Interact.PowerOn
ResetVirtualMachine.Interact.Reset
SuspendVirtualMachine.Interact.Suspend
VMware Tools installVirtualMachine.Interact.ToolsInstall

Inventory

Privilege (UI) Privilege (API)
Create from existingVirtualMachine.Inventory.CreateFromExisting
Create newVirtualMachine.Inventory.Create
MoveVirtualMachine.Inventory.Move
RegisterVirtualMachine.Inventory.Register
RemoveVirtualMachine.Inventory.Delete
UnregisterVirtualMachine.Inventory.Unregister

Provisioning

When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.

The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.

Privilege (UI) Privilege (API)
Allow disk accessVirtualMachine.Provisioning.DiskRandomAccess
Allow read-only disk accessVirtualMachine.Provisioning.DiskRandomRead
Allow virtual machine downloadVirtualMachine.Provisioning.GetVmFiles
Allow virtual machine files uploadVirtualMachine.Provisioning.PutVmFiles
Clone templateVirtualMachine.Provisioning.CloneTemplate
Clone virtual machineVirtualMachine.Provisioning.Clone
CustomizeVirtualMachine.Provisioning.Customize
Deploy templateVirtualMachine.Provisioning.DeployTemplate
Mark as templateVirtualMachine.Provisioning.MarkAsTemplate
Mark as virtual machineVirtualMachine.Provisioning.MarkAsVM
Modify customization specificationVirtualMachine.Provisioning.ModifyCustSpecs
Promote disksVirtualMachine.Provisioning.PromoteDisks
Read customization specificationsVirtualMachine.Provisioning.ReadCustSpecs

Snapshot Management

Before Ops Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.

Privilege (UI) Privilege (API)
Create snapshotVirtualMachine.State.CreateSnapshot
Remove snapshotVirtualMachine.State.RemoveSnapshot
Rename snapshotVirtualMachine.State.RenameSnapshot
Revert snapshotVirtualMachine.State.RevertToSnapshot

vApp Object

These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.

Privilege (UI)Privilege (API)
ImportVApp.Import
vApp application configurationVApp.ApplicationConfig
Create a pull request or raise an issue on the source for this page in GitHub