VMware Cloud Community
zomx
Contributor
Contributor
‎09-08-2011 09:46 AM

invoke-vmscript least privilege

Am looking for confirmation on the bare minimum set of vCenter privileges to run invoke-vmscript on a virtual machine.

I've discovered that the default role "Virtual Machine Power User" applied to the vCenter folder + Read only access to the datacenter and ESX host object is necessary to run invoke-vmscript. Has anyone been able to run invoke-vmscript without giving users read access to the ESX host?

tks in advance

EJH

0 Kudos
2 Replies
mattboren
Expert
Expert
‎09-08-2011 05:15 PM

Hello, zomx-

Per the help for Invoke-VMScript,

...To run Invoke-VMScript, the user must have read access to the folder containing the virtual machine and a Virtual Machine.Interaction.Console Interaction privilege. The virtual machines must be powered on and have VMware Tools installed. Network connectivity to the ESX system hosting the virtual machine on port 902 must be present. To authenticate with the host or the guest OS, one of  the HostUser/HostPassword (GuestUser/GuestPassword) pair and HostCredential (GuestCredential) parameters must be provided. The guest account you use to authenticate with the guest operating system must have administrator's privileges.

So, it looks like just read access to the folder in which the VM resides, and "Virtual Machine.Interaction.Console Interaction" privilege to the VM.  From that, it does not look like the user needs rights on the ESX(i) host -- you can specify the guest authentication info (either username/password, or a guest credential object) and not need to authenticate to the host.

The other thing to note there is that there must be connectivity on port 902 between the machine running the Invoke-VMScript cmdlet and the ESX(i) host on which the target VM is running (would likely be a concern in, say, a DMZ scenario).

0 Kudos
zomx
Contributor
Contributor
‎09-09-2011 07:31 AM

Matt,

Thanks for taking the time to reply. I knew that as of PowerCLI version 4.1 Update 1 invoke-vmscript no longer require ESX(i) Host credentials,

"The Invoke-VMScript, Copy-VMGuestFile,   Set-VMGuestNetworkInterfaceGet-VMGuestNetworkInterfaceNew-VMGuestRouteGet-VMGuestRoute, and Remove-VMGuestRoute cmdltes now do not require host credentials on ESX  4.0 and newer."


My question specifically pertains to vCenter roles & privileges. I am unable to run invoke-vmscript on a virtual machine if I remove read-only (privilege) access to the datacenter & host vSphere inventory objects, and am wondering if this is the intended behavior.

Thanks

EJH

0 Kudos