Permissions list needed.

[ghost]

This issue was originally opened by @Ludicrous09 as hashicorp/packer#10976. It was migrated here as a result of the Packer plugin split. The original body of the issue is below.

---

Description

Can we get a real list of the permissions needed to use each section of the builder? There seem to be only very old versions of this from when Jetbrains maintained this. While some of those are still applicable, there have been new features added that are not documented permissions wise. Such as publish to content library, I have given the account full content library access and it doesn't work.

The only way I can get it to work is to give it Global Permission Administrator.

I have tried Giving it Global Permission Read-only and all the rest of the normal packer permissions and everything works until it gets to publish to content library then I get a 403 forbidden.

Use Case(s)

To be able to publish a packer created OVA to a local content library in a production environment with out giving the account Global Administrator role in vcenter. An all encompassing permissions list that are needed should be provided.

Potential configuration

VCenter Server 6.7u3 VMware ESXi, 6.7.0, 17499825

Permissions my account has that will preform all operations except publish OVA to content library.

Alarms

• Acknowledge alarm
• Create alarm
• Disable alarm action
• Modify alarm
• Remove alarm
• Set alarm status

Content Library

• Add library item
• Create a subscription for a published library
• Create local library
• Create subscribed library
• Delete library item
• Delete local library
• Delete subscribed library
• Delete subscription of a published library
• Download files
• Evict library item
• Evict subscribed library
• Import storage
• Probe subscription information
• Publish a library item to its subscribers
• Publish a library to its subscribers
• Read storage
• Sync library item
• Sync subscribed library
• Type introspection
• Update configuration settings
• Update files
• Update library
• Update library item
• Update local library
• Update subscribed library
• Update subscription of a published library
• View configuration settings

Datastore

• Allocate space
• Browse datastore
• Low level file operations

Folder

• Create folder
• Delete folder
• Move folder
• Rename folder

Host

• Configuration
• System Management

Network

• Assign network
• Resource
• Assign virtual machine to resource pool

Virtual machine

• Change Configuration
• Add new disk
• Add or remove device
• Advanced configuration
• Change CPU count
• Change Memory
• Change Settings
• Change resource
• Rename
• Set annotation
• Edit Inventory
• Create new
• Register
• Remove
• Unregister
• Interaction
• Configure CD media
• Configure floppy media
• Connect devices
• Console interaction
• Power off
• Power on
• Provisioning
• Mark as template
• Snapshot management
• Create snapshot
• Rename snapshot

Potential References

https://www.packer.io/docs/builders/vmware/vsphere-iso

https://github.com/jetbrains-infra/packer-builder-vsphere/issues/97

[mgarren]

Followed here from issue 97 and worked with our vsphere admin. He found the following was needed at least for my configuration in addition to what was listed in 97:

Resource.AssignVMToPool Folder.Create Datastore.AllocateSpace Network.Assign VirtualMachine.Interact.Inject USB HID scan codes

Not sure if that will help anyone

[danfeldmann]

following from https://github.com/jetbrains-infra/packer-builder-vsphere/issues/97 too

I could get the 403 error solved with adding the permission VApp.Export to our role as referenced here: https://developer.vmware.com/docs/vsphere-automation/v7.0.0/vcenter/rest/com/vmware/vcenter/ovf/library-item/post/

[tenthirtyam]

Regarding exporting machine images as VM Templates or OVF Templates to a publishing content library, see Hierarchical Inheritance of Permissions for Content Libraries in vSphere Virtual Machine Administration under tbe VMware vSphere Documentation.

TL;DR - I typically:

• Create a custom role (e.g. Packer to vSphere) with the minimum privileges required by the account(s) that will execute Packer.
• Assign Global Permissions to the account (e.g. svc-packer-vsphere@rainpole.io) or group (rainpole\gg-packer-admins) to the custom role.
• Override the Global Permissions for vCenter Server instances for which the accounts do no need access by overriding with the No Access default role.

For the documentation, it would be pretty easy to show how to create the custom role using the Terraform provider for vSphere using the vsphere_role resource. Here's an example that could be adapted.

Hope this helps.

Ryan My Packer Examples for VMware vSphere

[tenthirtyam]

Create a custom vSphere role with the required privileges to integrate HashiCorp Packer with VMware vSphere. A service account can be added to the role to ensure that Packer has the least privileged access to the infrastructure. Clone the default Read-Only vSphere role and add the following privileges, which are based on the capabilities of the vsphere-iso plugin:

Category	Privilege	Reference
Content Library	Add library item	ContentLibrary.AddLibraryItem
...	Update Library Item	ContentLibrary.UpdateLibraryItem
Datastore	Allocate space	Datastore.AllocateSpace
...	Browse datastore	Datastore.Browse
...	Low level file operations	Datastore.Browse
Network	Assign network	Network.Assign
Resource	Assign virtual machine to resource pool	Resource.AssignVMToPool
vApp	Export	vApp.Export
Virtual Machine	Configuration > Add new disk	VirtualMachine.Config.AddNewDisk
...	Configuration > Add or remove device	VirtualMachine.Config.AddRemoveDevice
...	Configuration > Advanced configuration	VirtualMachine.Config.AdvancedConfig
...	Configuration > Change CPU count	VirtualMachine.Config.CPUCount
...	Configuration > Change memory	VirtualMachine.Config.Memory
...	Configuration > Change settings	VirtualMachine.Config.Settings
...	Configuration > Change Resource	VirtualMachine.Config.Resource
...	Configuration > Set annotation	VirtualMachine.Config.Annotation
...	Edit Inventory > Create from existing	VirtualMachine.Inventory.CreateFromExisting
...	Edit Inventory > Create new	VirtualMachine.Inventory.Create
...	Edit Inventory > Remove	VirtualMachine.Inventory.Delete
...	Interaction > Configure CD media	VirtualMachine.Interact.SetCDMedia
...	Interaction > Configure floppy media	VirtualMachine.Interact.SetFloppyMedia
...	Interaction > Connect devices	VirtualMachine.Interact.DeviceConnection
...	Interaction > Inject USB HID scan codes	VirtualMachine.Interact.PutUsbScanCodes
...	Interaction > Power off	VirtualMachine.Interact.PowerOff
...	Interaction > Power on	VirtualMachine.Interact.PowerOn
...	Provisioning > Create template from virtual machine	VirtualMachine.Provisioning.CreateTemplateFromVM
...	Provisioning > Mark as template	VirtualMachine.Provisioning.MarkAsTemplate
...	Provisioning > Mark as virtual machine	VirtualMachine.Provisioning.MarkAsVM
...	State > Create snapshot	VirtualMachine.State.CreateSnapshot

If you'd like to automate the creation of the custom vSphere role, a Terraform example is included my project.

Once the custom vSphere role is created, assign Global Permissions in vSphere for the service account used for the HashiCorp Packer to VMware vSphere integration. Global permissions are required for the content library. For example:

1. Log in to the vCenter Server at _https:///ui_ as administrator@vsphere.local.
2. Select Menu > Administration.
3. In the left pane, select Access control > Global permissions and click the Add permissions icon.
4. In the Add permissions dialog box, enter the service account (e.g. svc-packer-vsphere@rainpole.io), select the custom role (e.g. Packer to vSphere Integration Role) and the Propagate to children check box, and click OK.

In an environment with many vCenter Server instances, such as management and workload domains, you may wish to further reduce the scope of access across the infrastructure in vSphere for the service account. For example, if you do not want Packer to have access to your management domain, but only allow access to workload domains:

1. From the Hosts and clusters inventory, select management domain vCenter Server to restrict scope, and click the Permissions tab.
2. Select the service account with the custom role assigned and click the Change role icon.
3. In the Change role dialog box, from the Role drop-down menu, select No Access, select the Propagate to children check box, and click OK.

Hope this helps.

Ryan

[tenthirtyam]

Recommend: status/resolved