VMware Cloud Community
CGISam
Contributor
Contributor
‎11-10-2022 01:43 AM

Ansible playbook errors with permissions

Hello

We are trying to run an ansible playbook from our ansible management server (not Tower) to our vCenter which is failing. The script is to clone an existing template to a VM and place it on a specific datastore and into a specific folder. I have set as restrictive permissions as possible, they are detailed below.

If I complete the task by logging into vCenter with the ansible service account, I am able to complete the task successfully. However, when i run the playbook below, it fails with the following error:

"msg": "Failed to clone virtual machine XXXXXXX to folder 'vim.Folder:group-v287685' due to permission issue: Permission to perform this operation was denied."

If I give the user account administrator privileges over the whole vCenter the script works. Below is a subset of the script and i have commented on the permissions our service account has at that level.

- name: Clone the template
vmware_guest:
hostname: "vCenter.xxxx.local" ***Service account has RO permissions to this object and its children
username: "{{ credentials.vmware_username }}"
password: "{{ credentials.vmware_password}}"
datacenter: DC1X ***Service account has Administrator permissions to this object ONLY
cluster: WCL1 ***Service account has Administrator permissions to this object and its children
validate_certs: False
name: "VM-{{ tier }}-{{ servertype }}{{ item.0 }}"
template: "Template1" ***Service account has Administrator permissions to this object and its children
datastore: "Datastore1" ***Service account has Administrator permissions to this object and its children
folder: "Location/vm/Customer/Customer-Templates/" ***Service account has Administrator permissions to this object ONLY
state: poweredon
hardware:
num_cpus: "{{ inventory[servertype].cpus }}"
memory_mb: "{{ inventory[servertype].memory }}"
networks:
- name: "{{ network[tier][servertype].net_name }}"
ip: "{{ item.1 }}"
netmask: "{{ network[tier][servertype].gateway }}"
gateway: "{{ network[tier][servertype].subnet }}"
disk:
- size_gb: "{{ network[tier][servertype].disk1 }}"
unit_number: 0
- size_gb: "{{ network[tier][servertype].disk2 }}"
unit_number: 1
loop: "{{ serv_sequence | product(ip_list) | list }}"


Can someone please tell us what we need to add to allow the service account to clone the VM via the script when it works via the GUI?

Thanks
Sam

0 Kudos
0 Replies