Elevate VMware Engine privileges

Google Cloud VMware Engine privileges give vCenter users the privileges they need to perform normal operations. Some administrative functions require additional privileges in the private cloud vCenter.

Google Cloud VMware Engine is now integrated with the Google Cloud console but the integration does not provide the Elevate privilege feature. To perform these tasks, you can use a solution user account to:

  • Configure identity sources
  • Perform user management
  • Delete a distributed port group
  • Create service accounts

Solution user accounts

Some tools and products used with your private cloud might require a user to have administrative privileges in vSphere. When you create a private cloud, VMware Engine also creates user accounts with administrative privileges that you can use for the third-party tools and products. Multiple solution user accounts are created for managing different applications. Using a specific solution user account, you can audit the actions performed by each application. This document provides you with guidance on managing these solution user accounts in vSphere.

Here are some examples of tools and products that require administrative privileges during setup:

  • VMware Site Recovery Manager (SRM)
  • VMware Cloud Director
  • Zerto

Before you begin

Before signing in to a third-party tool or product with a solution user account, confirm that the tool or product requires administrative privileges. If the tool or product requires privileges that are already provided by Cloud-Owner-Role, then create a new user and add the user to Cloud-Owner-Group instead.

You can use any of the following built-in solution user IDs:

Get a solution user password

To get a solution user password, take the following steps.

gcloud

gcloud vmware private-clouds vcenter credentials describe \
  --private-cloud=PRIVATE_CLOUD_NAME \
  --project=PROJECT_ID \
  --username=USERNAME_ID \
  --location=ZONE

Replace the following:

  • PRIVATE_CLOUD_NAME: the private cloud for this request
  • PROJECT_ID: the project for this request
  • USERNAME_ID: one of the solution user IDs
  • ZONE: the zone of the private cloud

API

In the REST API, make a GET request to the showVcenterCredentials method and provide the provide the solution user ID:

https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_NAME:showVcenterCredentials?username=USERNAME_ID

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone of the private cloud
  • PRIVATE_CLOUD_NAME: the private cloud for this request
  • USERNAME_ID: one of the solution user IDs

Reset solution user password

To reset a solution user password, take the following steps.

gcloud

gcloud vmware private-clouds vcenter credentials reset \
  --private-cloud=PRIVATE_CLOUD_NAME \
  --project=PROJECT_ID \
  --username=USERNAME_ID \
  --location=ZONE

Replace the following:

  • PRIVATE_CLOUD_NAME: the private cloud for this request
  • PROJECT_ID: the project for this request
  • USERNAME_ID: one of the solution user IDs
  • ZONE: the zone of the private cloud

API

In the REST API, make a POST request to the resetVcenterCredentials method and provide the solution user ID in the request body:

https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_NAME:resetVcenterCredentials

{
  "username": :"USERNAME_ID"
}

Replace the following:

  • PROJECT_ID: the project for this request
  • ZONE: the zone of the private cloud
  • USERNAME_ID: one of the solution user IDs

Forbidden actions

When VMware Engine detects any of the following forbidden actions, VMware Engine reverts the changes to ensure that service remains uninterrupted.

Cluster actions

The following cluster actions are forbidden:

  • Removing a cluster from vCenter
  • Changing vSphere high availability (HA) on a cluster
  • Adding a host to the cluster from vCenter
  • Removing a host from the cluster from vCenter
  • Changing vSphere Distributed Resource Scheduler (DRS) on a cluster

Host actions

The following host actions are forbidden:

  • Adding or removing datastores on an ESXi host; you can mount a temporary disaster recovery datastore, but SLAs won't apply
  • Uninstalling vCenter agent from host
  • Modifying the host configuration
  • Making any changes to the host profiles
  • Placing a host in maintenance mode

Network actions

The following network actions are forbidden in vCenter Server:

  • Deleting the default distributed virtual switch (DVS) in a private cloud
  • Removing a host from the default DVS
  • Importing any DVS setting
  • Reconfiguring any DVS setting
  • Upgrading any DVS
  • Deleting the management portgroup
  • Editing the management portgroup

The following network actions are forbidden in NSX-T Manager:

  • Adding a new NSX-T Edge node
  • Changing an existing NSX-T Edge node

Roles and permissions actions

The following roles and permissions actions are forbidden:

  • Modifying or deleting permission to any management objects
  • Modifying or removing any default roles
  • Increase the privileges of a role to higher than of Cloud-Owner-Role
  • Adding users and groups to the Administrator group on vCenter
  • Adding any Active Directory users and groups to the Administrator group on vCenter

Set up email alerts

You can set up VMware Engine to notify a user about changes to your private cloud configuration. To add a contact, do the following:

  1. In the Google Cloud console, go to the Essential contacts page.

    Go to Essential contacts

  2. In the project selection drop-down, select the organization, folder, or project that you want to add a contact to.

  3. Click Add contact.

  4. In the Email and Confirm email fields, enter the email address of the contact.

  5. From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for. For a list of notification categories and recommended contacts, see Identifying contacts on this page.

  6. Click Save.

Other actions

The following actions are additionally forbidden:

  • Removing any default licenses:
    • vCenter Server
    • ESXi nodes
    • NSX-T
    • HCX
  • Modifying or deleting the management resource pool.
  • Cloning management VMs.
  • Assigning a management network to a workload VM.
  • Using an IP address in the management internal IP address range for a workload VM.
  • Renaming the data center.
  • Renaming the cluster.
  • Configuring syslog forwarding using the vCenter Server Appliance Management Interface (VAMI).
  • Configuring syslog forwarding on ESXi Hosts directly using the vCenter user interface. Instead, use the VMware Engine portal or the Google Cloud CLI to configure syslog forwarding for vCenter Server or ESXi Hosts.
  • Joining your private cloud vCenter to an Active Directory domain.
  • Resetting vCenter or NSX-T sign-in credentials using VMware tools, API calls, or management appliances (vCenter/NSX manager). As a reminder, you can retrieve or reset generated credentials, including password updates, from the private cloud details page in the VMware Engine portal.
  • Changing statistics collection intervals or statistics levels in the vSphere Client.

What's next