VMware Cloud Community
APJ7033
Enthusiast
Enthusiast
‎04-18-2019 01:42 PM

VCSA 6.5 Backup (Permissions)

Hi, hope someone can point me in the right direction.

I will be backing up my VCSA 6.5 via HTTPS. As 6.5 does not have a scheduling solution out of the box, I am looking to use powershell running from a scheduled task. The way I see it, I can either call the REST API using Invoke-restMethod or I could use Get-CisServer. Where I am struggling to find a solution is, how to permission an account that has the least possible privileged to perform this action.

Using the cron option (Link below) from within the VCSA is not an option, I will fail all my security audits, unless someone can explain how I could not have the passwords exposed in plain text. And the configuration would need to be automated.

VMware vSphere 6.5 Documentation Library

Thanks

0 Kudos
2 Replies
sk84
Expert
Expert
‎04-19-2019 01:57 AM

You will need an account with administrator privileges on vCenter level.

Using the cron option (Link below) from within the VCSA is not an option, I will fail all my security audits, unless someone can explain how I could not have the passwords exposed in plain text. And the configuration would need to be automated.

How else are you gonna do it? With any platform and scripting language you will have this problem. You have to pass a password in plain text and if you don't want to enter it every time, you have to save it. Of course you can encrypt it, but even then the question remains: Where to put the encryption key?

You can also store the script locally on VCSA, and make the file with the password readable only for the root user. If someone can read this on the vCenter, they have root privileges anyway and you have a much bigger problem than your backup script. Or place the script on any other linux host where you will have more features (and scripting languages) available and more control about the security.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
APJ7033
Enthusiast
Enthusiast
‎04-22-2019 05:48 AM

They way expect to get around the password in plain text is to use a service account on a windows and have the backup job call a powershell script. The script would get the password from a credential object.

The thing I am trying to get around is to not have the service account have full admin rights to the VC. I am also trying to keep most of the workflow within the windows space as my Ops team are more comfortable with Windows.

0 Kudos