In VMware Cloud on AWS (VMC), when a user is logged into vCenter Server, they are not running as the Administrator role like you might in an on-prem vSphere environment but rather a restrictive vCenter role called CloudAdmin. The reason for this is that VMware is responsible for managing the infrastructure, including the management software and we want to make sure customers do not accidentally make changes that could affect those operations. More importantly, with VMC being a service, customers can now focus their attention on the consumption of resources in VMC and leave the maintenance of the infrastructure for VMware to manage.
Note: For those interested, you can find the complete list of vCenter privileges for the CloudAdmin role here.
The ability to create and consume custom vCenter roles has been an extremely powerful capability of vCenter Server and although this is currently not possible in VMC, it is something that is actively being worked on. With that said, many of the requests that I have seen in regards to this topic has actually been about consuming some of the default vCenter roles. This is especially true for the "Read Only" role which is useful for auditing and monitoring purposes. As a CloudAdmin user, you can assign default vCenter roles that either have equal or lesser privileges than the CloudAdmin role which also includes the default "Read Only" vCenter role.
- Ensure that you have either a VPN and/or Direct Connect configured between your on-prem environment and VMC
- Configure Hybrid Linked Mode (HLM), which can enabled from the VMC vCenter Server or using the new vCenter Cloud Gateway (VCG)
Before you can assign a default vCenter role, there is one additional step that is required which may not be apparent. This has to do with how HLM maps your Active Directory users into VMC for access, using what is known as a Just-In-Time (JIT) user that gets created in VMC. When you initially setup HLM, you specify an Active Directory group which is automatically mapped to the CloudAdmin group and we assign the CloudAdmin role to members of that group.
In the case of assigning a non-CloudAdmin role, a JIT user needs to be created on VMC for this user. The creation of a JIT user is automatic, but it is only performed on an initial attempted login. This needs to be done before we can actually assign a default vCenter role. If you do not, when you try to assign the permission, you receive the following error message:
Step 1 - Have the user "Dennis Nedry" login to the VCG using their Active Directory credentials for the first time. This will ensure the JIT user is automatically created on the VMC side which will allow the CloudAdmin to assign the "Read Only" vCenter role.
Depending on the permissions that have been configured for the on-prem vCenter Server, the user may see the following screen if they have not been granted any access. This is expected and the user can simply ignore and return back to the login screen.
Step 2 - Now, login to the VCG with an Active Directory user that is part of the CloudAdmin group which was setup during the HLM configuration. You can now assign the "Read Only" role to a user who is NOT part of the CloudAdmin group. In my example, I have created the permission at the VMC vCenter Server level and have enabled propagation of the role.
Step 3 - Finally, our user Dennis can now log into the VCG again and this time because the role had successfully been created, he should now see the VMC vCenter Server inventory along with any other on-prem vCenter Server(s) that his user account has been granted access to.
If we now navigate to one of VMs running in our VMC vcCenter Server, we can see that our "Read Only" role has been applied. Dennis has no privileges to make any changes other than viewing the objects.