Elevate VMware Engine privileges
Google Cloud VMware Engine privileges give vCenter users the privileges they need to perform normal operations. Some administrative functions require additional privileges in the private cloud vCenter.
Google Cloud VMware Engine is now integrated with the Google Cloud console but the integration does not provide the Elevate privilege feature. To perform these tasks, you can use a solution user account to:
- Configure identity sources
- Perform user management
- Delete a distributed port group
- Create service accounts
Solution user accounts
Some tools and products used with your private cloud might require a user to have administrative privileges in vSphere. When you create a private cloud, VMware Engine also creates user accounts with administrative privileges that you can use for the third-party tools and products. Multiple solution user accounts are created for managing different applications. Using a specific solution user account, you can audit the actions performed by each application. This document provides you with guidance on managing these solution user accounts in vSphere.
Here are some examples of tools and products that require administrative privileges during setup:
- VMware Site Recovery Manager (SRM)
- VMware Cloud Director
- Zerto
Before you begin
Before signing in to a third-party tool or product with a solution user account,
confirm that the tool or product requires administrative privileges. If the tool
or product requires privileges that are already
provided by Cloud-Owner-Role
, then create a new user
and add the user to Cloud-Owner-Group
instead.
You can use any of the following built-in solution user IDs:
Get a solution user password
To get a solution user password, take the following steps.
gcloud
gcloud vmware private-clouds vcenter credentials describe \ --private-cloud=PRIVATE_CLOUD_NAME \ --project=PROJECT_ID \ --username=USERNAME_ID \ --location=ZONE
Replace the following:
PRIVATE_CLOUD_NAME
: the private cloud for this requestPROJECT_ID
: the project for this requestUSERNAME_ID
: one of the solution user IDsZONE
: the zone of the private cloud
API
In the REST API, make a GET
request to the showVcenterCredentials
method
and provide the provide the solution user ID:
https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_NAME:showVcenterCredentials?username=USERNAME_ID
Replace the following:
PROJECT_ID
: the project for this requestZONE
: the zone of the private cloudPRIVATE_CLOUD_NAME
: the private cloud for this requestUSERNAME_ID
: one of the solution user IDs
Reset solution user password
To reset a solution user password, take the following steps.
gcloud
gcloud vmware private-clouds vcenter credentials reset \ --private-cloud=PRIVATE_CLOUD_NAME \ --project=PROJECT_ID \ --username=USERNAME_ID \ --location=ZONE
Replace the following:
PRIVATE_CLOUD_NAME
: the private cloud for this requestPROJECT_ID
: the project for this requestUSERNAME_ID
: one of the solution user IDsZONE
: the zone of the private cloud
API
In the REST API, make a POST
request to the resetVcenterCredentials
method and provide the solution user ID in the request body:
https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/privateClouds/PRIVATE_CLOUD_NAME:resetVcenterCredentials { "username": :"USERNAME_ID" }
Replace the following:
PROJECT_ID
: the project for this requestZONE
: the zone of the private cloudUSERNAME_ID
: one of the solution user IDs
Forbidden actions
When VMware Engine detects any of the following forbidden actions, VMware Engine reverts the changes to ensure that service remains uninterrupted.
Cluster actions
The following cluster actions are forbidden:
- Removing a cluster from vCenter
- Changing vSphere high availability (HA) on a cluster
- Adding a host to the cluster from vCenter
- Removing a host from the cluster from vCenter
- Changing vSphere Distributed Resource Scheduler (DRS) on a cluster
Host actions
The following host actions are forbidden:
- Adding or removing datastores on an ESXi host; you can mount a temporary disaster recovery datastore, but SLAs won't apply
- Uninstalling vCenter agent from host
- Modifying the host configuration
- Making any changes to the host profiles
- Placing a host in maintenance mode
Network actions
The following network actions are forbidden in vCenter Server:
- Deleting the default distributed virtual switch (DVS) in a private cloud
- Removing a host from the default DVS
- Importing any DVS setting
- Reconfiguring any DVS setting
- Upgrading any DVS
- Deleting the management portgroup
- Editing the management portgroup
The following network actions are forbidden in NSX-T Manager:
- Adding a new NSX-T Edge node
- Changing an existing NSX-T Edge node
Roles and permissions actions
The following roles and permissions actions are forbidden:
- Modifying or deleting permission to any management objects
- Modifying or removing any default roles
- Increase the privileges of a role to higher than of Cloud-Owner-Role
- Adding users and groups to the Administrator group on vCenter
- Adding any Active Directory users and groups to the Administrator group on vCenter
Set up email alerts
You can set up VMware Engine to notify a user about changes to your private cloud configuration. To add a contact, do the following:
In the Google Cloud console, go to the Essential contacts page.
In the project selection drop-down, select the organization, folder, or project that you want to add a contact to.
Click
Add contact.In the Email and Confirm email fields, enter the email address of the contact.
From the Notification categories drop-down menu, select the notification categories that you want the contact to receive communications for. For a list of notification categories and recommended contacts, see Identifying contacts on this page.
Click Save.
Other actions
The following actions are additionally forbidden:
- Removing any default licenses:
- vCenter Server
- ESXi nodes
- NSX-T
- HCX
- Modifying or deleting the management resource pool.
- Cloning management VMs.
- Assigning a management network to a workload VM.
- Using an IP address in the management internal IP address range for a workload VM.
- Renaming the data center.
- Renaming the cluster.
- Configuring syslog forwarding using the vCenter Server Appliance Management Interface (VAMI).
- Configuring syslog forwarding on ESXi Hosts directly using the vCenter user interface. Instead, use the VMware Engine portal or the Google Cloud CLI to configure syslog forwarding for vCenter Server or ESXi Hosts.
- Joining your private cloud vCenter to an Active Directory domain.
- Resetting vCenter or NSX-T sign-in credentials using VMware tools, API calls, or management appliances (vCenter/NSX manager). As a reminder, you can retrieve or reset generated credentials, including password updates, from the private cloud details page in the VMware Engine portal.
- Changing statistics collection intervals or statistics levels in the vSphere Client.
What's next
- Learn how to set up vCenter identity sources.