VMware Cloud Community
TheVMinator
Expert
Expert

Requirements for Using PowerCLI and vCO


As per this article:

vCO PowerShell plug-in | VMware vCenter Orchestrator Blog - VMware Blogs

I understand that I need to have a local Windows user account on the powershell host that will be used to run my powercli script from vCO when it connects through winRM.

However, it doesn't say what permissions that account needs to have.  Does that need to be a local administrator account?  From a security perspective, If I follow the principle of "least privilege", what would be the Local Windows Group that I should assign this account to, that will still allow my powerCLI script to run?

If the security team needs proof, are these required permissions documented anywhere?

Thanks!

Reply
0 Kudos
5 Replies
LucD
Leadership
Leadership

If you are concerned about the security permissions wouldn't it then be better to go for "Per User Session" ?

And it that case, the permissions of the logged on user determine what you can do via a PowerShell script in vCO ?

The required permissions depend on what you want to do via vCO, and, in my understanding, there the same principles as for normal PowerCLI would play.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

TheVMinator
Expert
Expert

ok - so I'm not sure I know which option I want.  For example, right now I'm running the workflow to "Add a PowerShell Host" in vCO. 

I can choose a session mode of "Session Per User" or "Shared Session".  If I choose "Session Per User" when adding a powershell host, is that host still added when someone else tries to run a powershell workflow? 

Reply
0 Kudos
LucD
Leadership
Leadership

As far as I understand it, these are 2 different things.

The setup of the PowerShell host is one thing, that is done via the account you are running the vCO with when you add it.

The running of scripts via this PowerShell host in Per User Session is done with the account that triggers the flow that has the PowerShell script.

Btw, I would go for Kerberos authentication.

See [vCO PowerShell plugin] How to set up and use Kerberos authentication


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

TheVMinator
Expert
Expert

OK great.  Kerberos Authentication looks like a cleaner solution, and would solve my problem, which is having to create a local Windows User account just to add the powershell host to vCO.  However, the problem is that the setup for Kerberos looks very confusing.  It isn't clear exactly what is supposed to be in the Kerboeros krb5.conf file.  It looks like I could spend hours trying to figure that out.  The example in the post doesn't really explain it fully, it points you to another reference, which is not clear at all.

Is there a short, concise example of a krb5.conf file, design specifically for an enviornment with VCO and Active Directory, where VCO is connecting to a powershell host, that someone has made to work successfully?

Reply
0 Kudos
LucD
Leadership
Leadership

MWpreston did a good write-up of the process in My First vCenter Orchestrator Workflow – Part 4 – A look at the Powershell Plug-in


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos