vsphere-iso: Permissions Error

[hskrtich]

I am trying to use the new vsphere-iso plug-in and I am getting this error

--> vsphere-iso: error creating vm: ServerFaultCode: Permission to perform this operation was denied.

If I use a user that had wide open permissions this issue goes away. Is there a way for me to debug this? Or is there a list of required permissions for the plugin to work?

[mkuzmin]

I didn't test that especialy.

Basic list of required privileges is the same as for interactive actions in vSphere UI: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B71-B365-BBFA24673FDB.html

Documenting such a list would be a great contribution

[stacycarter]

@bskrtich
Testing with the latest beta vSphere-ISO plugin, and had the same challenge. Here is how I've been able to limit vCenter permissions so far through trial and error. It's working, but would prefer to have it more limited in terms of the cluster/datastore some of these perms apply to.

Currently have 3 roles right now at different levels for the same service account. Probably still needs more work and cleanup (for example, removing some of the redundant perms at multiple levels). The goal was to give only what is necessary. Started at the folder/cluster/datastore/network level, but then had to configure one or more perms above that level when that didn't work.

vCenter top-level w/ propagate:
Datastore > Browse Datastore, and Low Level File Operations (did not want to have to configure perms at this level, but had trouble getting it to work without it)

vCenter cluster-level w/ propagate:
Datastore > Allocate space, Browse datastore, Low level file operations, Remove file, Update virtual machine files, Update virtual machine metadata
Configuration > System Management
Resource > Assign virtual machine to resource pool

vCenter folder w/ templates, datastore with templates, and dvportgroup level:
Datastore > Allocate space, Browse datastore, Low level file operations, Remove file, Update virtual machine files, Update virtual machine metadata
Network > Assign network
Virtual machine > Most of what is in the Configuration, Guest Operations, Interaction, Inventory, Provisioning, and Service configuration folders

[hskrtich]

@stacycarter Thank you for the information about your permission set. Since I am not direclty in control of our vsphere, I have escalated our permissions issue. It will take about a week to hear back.

[tsborland]

After a lot of trial and error... it looks like the plugin user requires read only (without propagation) for:
vcenter -> datacenter -> cluster
vcenter -> datacenter -> distributed switch

Furthermore, it looks like the following permissions are required for any: resource pool, folder, distributed port group, datastore or storage cluster (with propagation):

Datastore ->Allocate space
Datastore ->Browse datastore
Datastore ->Low level file operations
Datastore ->Remove file
Datastore ->Update virtual machine files
Datastore ->Update virtual machine metadata
Network -> Assign network
Resource -> Assign virtual machine to resource pool
Virtual machine -> Change Configuration
Virtual machine -> Edit Inventory
Virtual machine -> Guest operations
Virtual machine -> Interaction
Virtual machine -> Provisioning
Virtual machine -> Service configuration
Virtual machine -> Snapshot management

With the roles assigned, I was able to successfully run a deployment against the vcenter instance.

[mkuzmin]

Thank you, @stacycarter and @tsborland! I've updated README and narrowed the list a bit.

[mkuzmin]

At the moment additional read-only permission is required on host objects, I've fixed that in d641a78.

[mkuzmin]

For reference, here is detailed list of individual privileges required on virtual machines.
But I would not use them at so percise level: these privileges are sufficient for Packer, but not suitable for end VM users.

Create VM:

Virtual machine -> Inventory -> Create new
Virtual machine -> Inventory -> Remove
Virtual machine -> Configuration -> Add new disk

Customize hardware:

Virtual machine -> Configuration -> Change CPU count
Virtual machine -> Configuration -> Change resource
Virtual machine -> Configuration -> Memory
Virtual machine -> Configuration -> Settings
Virtual machine -> Configuration -> Set annotation

configuration_parameters:

Virtual machine -> Configuration -> Advanced

Boot:

Virtual machine -> Configuration -> Settings
Virtual machine -> Interaction -> Power on
Virtual machine -> Interaction -> Console interaction
Virtual machine -> Interaction -> Power off

CD-ROM:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure CD media
Virtual machine -> Interaction -> Device connection

Upload Floppy image:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure floppy media

Snapshot:

Virtual machine -> Snapshot management -> Create snapshot

Template:

Virtual machine -> Provisioning -> Mark as template

[JosteinVH]

For reference, here is detailed list of individual privileges required on virtual machines.
But I would not use them at so percise level: these privileges are sufficient for Packer, but not suitable for end VM users.

Create VM:

Virtual machine -> Inventory -> Create new
Virtual machine -> Inventory -> Remove
Virtual machine -> Configuration -> Add new disk

Customize hardware:

Virtual machine -> Configuration -> Change CPU count
Virtual machine -> Configuration -> Change resource
Virtual machine -> Configuration -> Memory
Virtual machine -> Configuration -> Settings
Virtual machine -> Configuration -> Set annotation

configuration_parameters:

Virtual machine -> Configuration -> Advanced

Boot:

Virtual machine -> Configuration -> Settings
Virtual machine -> Interaction -> Power on
Virtual machine -> Interaction -> Console interaction
Virtual machine -> Interaction -> Power off

CD-ROM:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure CD media
Virtual machine -> Interaction -> Device connection

Upload Floppy image:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure floppy media

Snapshot:

Virtual machine -> Snapshot management -> Create snapshot

Template:

Virtual machine -> Provisioning -> Mark as template

I have all the permissions (and more), result:

2020-05-20T15:42:20+02:00: ==> vsphere-iso: Customizing hardware...
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Mount ISO images...
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Creating floppy disk...
2020-05-20T15:42:20+02:00:     vsphere-iso: Copying files flatly from floppy_files
2020-05-20T15:42:20+02:00:     vsphere-iso: Copying file: /home/user/preseed.cfg
2020-05-20T15:42:20+02:00:     vsphere-iso: Done copying files from floppy_files
2020-05-20T15:42:20+02:00:     vsphere-iso: Collecting paths from floppy_dirs
2020-05-20T15:42:20+02:00:     vsphere-iso: Resulting paths from floppy_dirs : []
2020-05-20T15:42:20+02:00:     vsphere-iso: Done copying paths from floppy_dirs
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Uploading created floppy image
2020-05-20T15:42:21+02:00: ==> vsphere-iso: Destroying VM...
2020-05-20T15:42:21+02:00: Build 'vsphere-iso' errored: ServerFaultCode: Permission to perform this operation was denied.

[pentiumoverdrive]

For reference, here is detailed list of individual privileges required on virtual machines.
But I would not use them at so percise level: these privileges are sufficient for Packer, but not suitable for end VM users.
Create VM:

Virtual machine -> Inventory -> Create new
Virtual machine -> Inventory -> Remove
Virtual machine -> Configuration -> Add new disk

Customize hardware:

Virtual machine -> Configuration -> Change CPU count
Virtual machine -> Configuration -> Change resource
Virtual machine -> Configuration -> Memory
Virtual machine -> Configuration -> Settings
Virtual machine -> Configuration -> Set annotation

configuration_parameters:

Virtual machine -> Configuration -> Advanced

Boot:

Virtual machine -> Configuration -> Settings
Virtual machine -> Interaction -> Power on
Virtual machine -> Interaction -> Console interaction
Virtual machine -> Interaction -> Power off

CD-ROM:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure CD media
Virtual machine -> Interaction -> Device connection

Upload Floppy image:

Virtual machine -> Configuration -> Add or remove device
Virtual machine -> Interaction -> Configure floppy media

Snapshot:

Virtual machine -> Snapshot management -> Create snapshot

Template:

Virtual machine -> Provisioning -> Mark as template

I have all the permissions (and more), result:

2020-05-20T15:42:20+02:00: ==> vsphere-iso: Customizing hardware...
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Mount ISO images...
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Creating floppy disk...
2020-05-20T15:42:20+02:00:     vsphere-iso: Copying files flatly from floppy_files
2020-05-20T15:42:20+02:00:     vsphere-iso: Copying file: /home/user/preseed.cfg
2020-05-20T15:42:20+02:00:     vsphere-iso: Done copying files from floppy_files
2020-05-20T15:42:20+02:00:     vsphere-iso: Collecting paths from floppy_dirs
2020-05-20T15:42:20+02:00:     vsphere-iso: Resulting paths from floppy_dirs : []
2020-05-20T15:42:20+02:00:     vsphere-iso: Done copying paths from floppy_dirs
2020-05-20T15:42:20+02:00: ==> vsphere-iso: Uploading created floppy image
2020-05-20T15:42:21+02:00: ==> vsphere-iso: Destroying VM...
2020-05-20T15:42:21+02:00: Build 'vsphere-iso' errored: ServerFaultCode: Permission to perform this operation was denied.

I think I might have similar problem, I ditched floppies at the moment though, seems like I don't have floppy support so Packer just destroys the vm (but it is missing permissions?).

Also usb hid code injection seems missing, here are my permissions:

Datastore
Allocate space
Browse datastore
Low level file operations

Network
Assign network

Resource
Assign virtual machine to resource pool

Virtual machine -> Change Configuration
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change Memory
Change Settings
Change resource
Set annotation

Edit Inventory
Create new
Register
Remove
Unregister

Interaction
Configure CD media
Configure floppy media
Connect devices
Console interaction
Inject USB HID scan codes
Power off
Power on

Provisioning
Mark as template

Snapshot management
Create snapshot
Recent Tasks
Alarms

[JosteinVH]

@pentiumoverdrive Solved this by adding Host-> Configuration -> System Management to @tsborland suggestion.

[egkelly]

Inject USB HID scan codes

@pentiumoverdrive were you ever able to get this working? What version of ESXi are you running?

[danrokzz]

for a maybe solution for the 403er error, please take a look at hashicorp/packer-plugin-vsphere#57 (comment) :)