I've not looked into what is the minimum privileges, but this will also depend on whether you're trying to validate going through vCenter and/or directly to an ESX(i) host. The latter will definitely require administrator privledges as it tries to download a few files to verify some checks. I believe if you go through vCenter, that readOnly _should_ work, but I've not tested this.
You could give that a shot and let me know if it's sufficent or if you hit paritcular problems
We use a local Windows account on the vCenter Server for vifastpass operations from the vMA. This user is only member of the local Users group, no Administrators or anything else.
In the vCenter structure, the permission for this user is set at the vCenter level (the highest one) in the vSphereclient and propagates to the lower levels.
We use a custom vCenter role for this user, which only consists of the following permissions:
- Datastore -> Browse datastore
- Global -> Diagnostics, Licenses
- Sessions -> View and stop sessions
This really is everything this role is permitted to do, and the vSphereSecurityHardening as well as the vSphereHealthCheck execute flawlessly when run after a vipftarget -s My_vCenter_Server.
Note that we also registered each ESXi Server seperately with the vMA besides the vCenter with this local account.
We tested the script with the following set-up: Create a windows AD group - vcenterAudit ( u could call it whatever u choose) and add a test account to the AD group. Assign the Read-Only role at the Datacenter level to the newly created AD group. run the script using the test account credential against our vCenter server. The above setup is the only privilege that we need.