Elevating VMware Engine privileges

Google Cloud VMware Engine privileges give vCenter users the privileges they need to perform normal operations. Some administrative functions require additional privileges in the private cloud vCenter.

Google Cloud VMware Engine is now integrated with the Google Cloud console but the integration does not provide the Elevate privilege capability. To perform these tasks, you can use a solution user account to:

  • Configure identity sources
  • Perform user management
  • Delete a distributed port group
  • Create service accounts

You can use any of the following built-in solution user IDs:

  • solution-user-01@gve.local
  • solution-user-02@gve.local
  • solution-user-03@gve.local
  • solution-user-04@gve.local
  • solution-user-05@gve.local

Get a solution user password

To get a solution user password, follow these steps:

gcloud 

gcloud vmware private-clouds vcenter credentials describe \
--private-cloud=PRIVATE_CLOUD \
--project=PROJECT_ID \
--username=USERNAME_ID \
--location=REGION

API

In the REST API, make a GET request to the showCredentials method and provide the provide the solution user ID:

https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateClouds/PRIVATE_CLOUD:showVcenterCredentials?username=USERNAME_ID

Replace the following:

  • PRIVATE_CLOUD: the private cloud for this request.
  • PROJECT_ID: the project for this request.
  • REGION: the region of the private cloud.
  • USERNAME_ID: one of the solution user IDs described previously.

Reset solution user password

To reset a solution user password, follow these steps:

gcloud 

gcloud vmware private-clouds vcenter credentials reset \
--private-cloud=PRIVATE_CLOUD \
--project=PROJECT_ID \
--username=USERNAME_ID \
--location=REGION

API

In the REST API, make a POST request to the showCredentials method and provide the solution user ID in the request body:

https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/privateClouds/PRIVATE_CLOUD:resetVcenterCredentials

{
"username": :"USERNAME_ID"
}

Replace the following:

  • PROJECT_ID: the project for this request.
  • REGION: the region of the private cloud.
  • USERNAME_ID: one of the solution user IDs described previously.

Forbidden actions

When VMware Engine detects any of the following forbidden actions, VMware Engine reverts the changes to ensure that service remains uninterrupted.

Cluster actions

The following cluster actions are forbidden:

  • Removing a cluster from vCenter.
  • Changing vSphere High Availability (HA) on a cluster.
  • Adding a host to the cluster from vCenter.
  • Removing a host from the cluster from vCenter.
  • Changing vSphere Distributed Resource Scheduler (DRS) on a cluster.

Host actions

The following host actions are forbidden:

  • Adding or removing datastores on an ESXi host.
  • Uninstalling vCenter agent from host.
  • Modifying the host configuration.
  • Making any changes to the host profiles.
  • Placing a host in maintenance mode.

Network actions

The following network actions are forbidden in vCenter Server:

  • Deleting the default distributed virtual switch (DVS) in a private cloud.
  • Removing a host from the default DVS.
  • Importing any DVS setting.
  • Reconfiguring any DVS setting.
  • Upgrading any DVS.
  • Deleting the management portgroup.
  • Editing the management portgroup.

The following network actions are forbidden in NSX-T Manager:

  • Adding a new NSX-T Edge node.
  • Changing an existing NSX-T Edge node.

Roles and permissions actions

The following roles and permissions actions are forbidden:

  • Modifying or deleting permission to any management objects.
  • Modifying or removing any default roles.
  • Increase the privileges of a role to higher than of Cloud-Owner-Role.
  • Adding users and groups to the Administrator group on vCenter.
  • Adding any Active Directory users and groups to the Administrator group on vCenter.

Other actions

The following actions are additionally forbidden:

  • Removing any default licenses:
    • vCenter Server
    • ESXi nodes
    • NSX-T
    • HCX
  • Modifying or deleting the management resource pool.
  • Cloning management VMs.
  • Assigning a management network to a workload VM.
  • Using an IP address in the management internal IP address range for a workload VM.
  • Renaming the data center.
  • Renaming the cluster.
  • Configuring syslog forwarding using the vCenter Server Appliance Management Interface (VAMI).
  • Configuring syslog forwarding on ESXi Hosts directly using the vCenter User Interface. Open a Support Ticket for this task.
  • Joining your private cloud vCenter to an Active Directory domain.
  • Resetting vCenter or NSX-T sign-in credentials using VMware tools, API calls, or management appliances (vCenter/NSX manager). As a reminder, you can retrieve or reset generated credentials, including password updates, from the private cloud details page in the VMware Engine portal.
  • Changing statistics collection intervals or statistics levels in the vSphere Client.

What's next