Creating a vCenter role for the vsphere-vagrant provider

Jonathan Frappier Virtxpert

Vagrant is a tool typically associated with VirtualBox or VMware Workstation/Fusion, however a vSphere provider is available here.  Vagrant is an easy way to spin up and delete VMs, if you are a #vBrownBag watcher you may have heard the term “vagrant up” several times during the Couch to OpenStack series this past summer.  You can learn more about Vagrant here and here thanks to Trevor Roberts Jr.

In this post, I will review the steps to grant access to a user account created in AD to vSphere for purposes of using the vSphere-Vagrant provided to “vagrant up” and “vagrant destroy” VMs.  A few notes, the vsphere-vagrant provider does not appear to like spaces in the password, or special characters in the username such as spaces, underscores or dashes.  Also, since Vagrant is connecting to vCenter, it needs some permission at the vcenter level versus granularly adding permissions to specific objects such as datacenters, hosts, datastores etc…

If Vagrant connected always to a specific host you SHOULD be able to provide permission to just the host, datastore(s) and networks.

In theory what I want to try to do, but haven’t, is provide read-only access role at the vCenter level, then specific permissions in other areas such as defining the permissions on a specific cluster or datacenter, or the specific servers, VM folders, datastores, networks/vswitches and resource pools if present, as well as any other objects I may not be thinking about right now.

For now, as this is on a dev/test environment can be applied at the vCenter level and should work to provision VMs.

  • Create an account in your AD, and optionally place the user in a group (assuming you may want to provide other accounts with this level of access, maybe a devvspherevagrant user etc)
  • Log into the web client >> Administration >> Role Manager
  • Click the green plus icon to add a role, name it vsphere-vagrant.  See below for the list of actual privileges provided.
  • Once the role is created, navigate from Home to vCenter >> vCenter Servers, click on your vCenter server
  • Click on the Manage tab >> Permissions tab and click the green + icon
  • Click the add button, change to your domain, find the user or group and click the add button, click ok
  • Select the vsphere-vagrant role created earlier anjd click ok

Vagrant Role Settings are based on the need to create, and remove VMs.  There may be a few extraneous privileges in here, this was a first pass at getting it working.

Role settings
– Datastore

  • – Allocate space
  • – Browse datastore
  • – Remove file
  • – Update virtual machine file

– Global

  • – Log event
  • – Cancel task

– Host

  • – Create virtual machine
  • – Delete virtual machine
  • – Reconfigure virtual machine

– Network

  • – Assign network

– Resource

  • – Assign virtual machine to resource pool

– Tasks

  • – Create task
  • – Update task

– Virtual machine
– Configuration

  • – Add new disk
  • – Add or remove device
  • – Advanced
  • – Change CPU count
  • – Change resource
  • – Configure ManagedBy
  • – Memory
  • – Modify device settings
  • – Remove disk
  • – Rename
  • – Settings
  • – Swap file placement

– Guest operations

  • – Guest Operations Modifications

– Interaction

  • – Power on
  • – Power off
  • – Reset
  • – Suspend
  • – VMware Tools install

– Inventory

  • – Create from existing
  • – Create new
  • – Move
  • – Register
  • – Remove
  • – Unregister

– Provisioning

  • – Allow disk access
  • – Clone template
  • – Clone virtual machine
  • – Customize
  • – Deploy template
  • – Mark as virtual machine
  • – Read customization speceifications

Creating a vCenter role for the vsphere-vagrant provider