Scoping minimum vCenter permissions for the AWS Transform discovery tool

3 minute read

Content level: Intermediate

Provides details on the minimum vCenter permissions for the AWS Transform discovery tool

The AWS Transform discovery tool helps you automatically discover server inventory in your organization to prepare for migration. The documentation specifies the minimum required vCenter role as Read-Only, assigned at the vCenter root level. Administrators for some shared service provider environments may find this requirement too permissive. This article provides you with a list of granular permissions, enabling a limited view of the vCenter inventory.

Prerequisites

This article assumes you have deployed the discovery tool and it can access your vCenter on TCP/443.

Procedure

Configure vCenter permissions according to the following table:

#	vCenter object	Role	Propagate	Comment
1	vCenter root	Read-Only	No
2	Datacenter	Read-Only	No
3	Cluster	Read-Only	Optional	If it fits your security requirements, you can skip step 4 by propagating the role to an entire cluster.
4	ESX hosts	Read-Only	No	If you do not propagate at the cluster level, you must apply to every host in the cluster that the VMs could be running on.
5	Root VM folder	Read-Only	No
6	All intermediate VM folders	Read-Only	No	The user must have the read-only role on every folder in the tree leading up to the folder(s) containing VMs.
7	VM folder	Read-Only	Optional	If all VMs in a folder need to be inventoried, you can propagate the role at the folder level and skip step 8.
8	VMs	Read-Only	No	If you do not propagate the role at the folder level, you must assign the role to every VM that needs to be inventoried.
9	Distributed virtual switch root folder	Read-Only	No
10	Distributed virtual switch	Read-Only	Optional	If all portgroups on the distributed virtual switch need to be inventoried, you can skip step 11 by propagating the role to the entire switch
11	Distributed virtual switch portgroups	Read-Only	No	If you do not propagate at the distributed virtual switch level, the user must have the read-only role on every portgroup in use by every VM that needs to be inventoried.

Summary

This procedure gives you ability to create a granular permissions model, limiting inventory to a subset of VMs in your vCenter.

Topics: Migration & Modernization Machine Learning & AI
Tags: AWS Transform for VMware
Language: English

EXPERT

Patrick Kremer

published a month ago157 views

No comments

Relevant content

Accelerate VMware migration planning using AWS Transform discovery tool
EXPERT
Sheng Chen
published a year ago
Setting a static IP on the AWS Transform discovery tool
EXPERT
Patrick Kremer
published 6 months ago
Setting custom NTP servers on the AWS Transform discovery tool
EXPERT
Patrick Kremer
published 4 months ago
AWS transform for VMware to migrate to EC2
Accepted Answer
Vikky Singh
asked 5 months ago
Transform and Marketplace - How do they relate, and who controls the available tools?
LoganL14
asked 2 months ago
AMS Migration Service - No Agentless discovered servers displaying after sucessful vCenter client install
Accepted Answer
Thiago
asked 3 years ago
How do I use Amazon ECS service discovery with CloudFormation?
AWS OFFICIALUpdated 2 years ago
What are the minimum permissions that I need for Amazon SageMaker?
AWS OFFICIALUpdated 2 years ago
How do I delete a Route 53 hosted zone created by service discovery?
AWS OFFICIALUpdated 2 years ago
How do I use AWS Cloud Map to set up cross-account service discovery for ECS services?
AWS OFFICIALUpdated 3 years ago