Clarifies the administrative permissions structure of VMC on AWS vCenter
Over the years I have run into various issues with customers trying to use LDAP credentials to perform various administrative tasks in their VMware Cloud on AWS vCenter Server. I have typically gotten around the problem by having them temporarily use cloudadmin@vmc.local to complete the administrative task. This is fine for many customers, but for a customer with strict auditing controls, you want to avoid using cloudadmin@vmc.local unless it's truly a break glass situation.
Here is a scenario one of my customers recently encountered.
Setup
You're a vSphere admin trying to replicate the permission set that cloudadmin@vmc.local has, granting an LDAP group the same level of access. You come into Global Permissions and find CloudAdminGroup
is granted the CloudAdmin
role
You naturally expect to give users the same level of access by granting your LDAP group the same role in Global Permissions
Error
You attempt to log on to a vCenter Server utility with your LDAP credentials, and receive an error message saying it was unable to locate any virtual switches.
You switch to cloudadmin@vmc.local and the utility works.
Troubleshooting
You log in to vCenter as your LDAP user and can't find the distributed virtual switch.
You log in to vCenter as cloudadmin@vmc.local, and you can see the distributed virtual switch.
Explanation
It is not as well-documented as it could be, but the local group CloudAdminGroup has additional privileges granted to it. There is a VMware KB article documenting the behavior Customer is missing permissions for a specific LDAP User/Group but Cloudadmin@vmc.local account has the required permissions.
It is not possible to adjust the membership of CloudAdminGroup within vCenter, but the required API calls are documented.
Resolution
You could make the raw API calls as demonstrated in the article. However, if you are not particularly API-savvy, Brad Snurka at VMware wrote a nifty PowerCLI script that will do it for you.
Download and run the PowerCLI script. Note that you must have PowerCLI installed in order to run the script.
Enter your VMC on AWS vCenter, and the cloudadmin@vmc.local password.
Run a GET
command to list all LDAP groups in the CloudAdmin group. I have not run this in my lab before, so it shows up empty, as expected.
Run an ADD
command to add an LDAP group to the CloudAdmin group. Note that you must type in the full group@domain name of the group.
Run another GET
command to verify that the LDAP group is now visible
Log in to the VMC on AWS vCenter Server as an LDAP user. The distributed virtual switch is now visible.