Creating a Custom Role in vCenter for Aria Automation: A Step-by-Step Guide

Introduction Automation in VMware environments enhances efficiency, reduces human error, and improves the consistency of operations. Aria Automation (formerly vRealize Automation) is a powerful tool designed to automate processes in your VMware infrastructure. However, to fully leverage its capabilities, Aria Automation requires specific permissions in vCenter. This blog post will guide you through creating a custom role in vCenter with all necessary permissions for the Aria Automation service account.

Prerequisites

Access to vCenter with administrative privileges.
VMware PowerCLI installed on your computer.
Familiarity with VMware environments and basic scripting.

Step 1: Establish a Connection to Your vCenter Server Begin by opening VMware PowerCLI and connecting to your vCenter server. Use the following script, substituting your actual credentials and server details:

$vcServer = 'vcenter.yourdomain.com'
$username = 'administrator@yourdomain.com'
$password = 'yourPassword'
Connect-VIServer -Server $vcServer -User $username -Password $password

Step 2: Define the Role and Permissions Next, specify the role’s name and the permissions necessary for Aria Automation. These permissions will allow Aria Automation to manage virtual machines and other resources effectively:

$roleName = "Aria Automation Custom Role"
$permissions = @(
    "System.Anonymous",
    "System.View",
    "System.Read",
    "Global.ManageCustomFields",
    "Global.SetCustomField",
    "Folder.Create",
    "Folder.Delete",
    "Datastore.Browse",
    "Datastore.FileManagement",
    "Datastore.AllocateSpace",
    "Network.Assign",
    "VirtualMachine.Inventory.Create",
    "VirtualMachine.Inventory.CreateFromExisting",
    "VirtualMachine.Inventory.Delete",
    "VirtualMachine.Inventory.Move",
    "VirtualMachine.Interact.PowerOn",
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Interact.Suspend",
    "VirtualMachine.Interact.Reset",
    "VirtualMachine.Interact.ConsoleInteract",
    "VirtualMachine.Interact.DeviceConnection",
    "VirtualMachine.Interact.SetCDMedia",
    "VirtualMachine.Interact.ToolsInstall",
    "VirtualMachine.Config.Rename",
    "VirtualMachine.Config.Annotation",
    "VirtualMachine.Config.AddExistingDisk",
    "VirtualMachine.Config.AddNewDisk",
    "VirtualMachine.Config.RemoveDisk",
    "VirtualMachine.Config.CPUCount",
    "VirtualMachine.Config.Memory",
    "VirtualMachine.Config.AddRemoveDevice",
    "VirtualMachine.Config.EditDevice",
    "VirtualMachine.Config.Settings",
    "VirtualMachine.Config.Resource",
    "VirtualMachine.Config.AdvancedConfig",
    "VirtualMachine.Config.SwapPlacement",
    "VirtualMachine.Config.DiskExtend",
    "VirtualMachine.Config.ChangeTracking",
    "VirtualMachine.State.CreateSnapshot",
    "VirtualMachine.State.RevertToSnapshot",
    "VirtualMachine.State.RemoveSnapshot",
    "VirtualMachine.Provisioning.Customize",
    "VirtualMachine.Provisioning.Clone",
    "VirtualMachine.Provisioning.DeployTemplate",
    "VirtualMachine.Provisioning.CloneTemplate",
    "VirtualMachine.Provisioning.ReadCustSpecs",
    "Resource.AssignVMToPool",
    "Resource.HotMigrate",
    "Resource.ColdMigrate",
    "Authorization.ModifyPermissions",
    "VApp.ApplicationConfig",
    "VApp.Import",
    "StoragePod.Config",
    "InventoryService.Tagging.AttachTag",
    "InventoryService.Tagging.ModifyUsedByForCategory",
    "ContentLibrary.EvictLibraryItem",
    "InventoryService.Tagging.DeleteCategory",
    "ContentLibrary.TypeIntrospection",
    "ContentLibrary.GetConfiguration",
    "InventoryService.Tagging.EditTag",
    "ContentLibrary.UpdateSession",
    "ContentLibrary.UpdateLibrary",
    "InventoryService.Tagging.ModifyUsedByForTag",
    "ContentLibrary.SyncLibraryItem",
    "ContentLibrary.UpdateSubscribedLibrary",
    "ContentLibrary.UpdateLibraryItem",
    "ContentLibrary.DeleteLibraryItem",
    "InventoryService.Tagging.CreateTag",
    "InventoryService.Tagging.DeleteTag",
    "ContentLibrary.SyncLibrary",
    "ContentLibrary.UpdateConfiguration",
    "ContentLibrary.DownloadSession",
    "ContentLibrary.DeleteLocalLibrary",
    "InventoryService.Tagging.ObjectAttachable",
    "ContentLibrary.EvictSubscribedLibrary",
    "ContentLibrary.DeleteSubscribedLibrary",
    "ContentLibrary.CreateSubscribedLibrary",
    "ContentLibrary.UpdateLocalLibrary",
    "InventoryService.Tagging.EditCategory",
    "InventoryService.Tagging.CreateCategory",
    "ContentLibrary.ProbeSubscription",
    "ContentLibrary.ReadStorage",
    "ContentLibrary.AddLibraryItem",
    "ContentLibrary.CreateLocalLibrary"
)

Step 3: Create the Custom Role Create the role using the New-VIRole cmdlet. This step involves applying the previously defined permissions to the new role:

New-VIRole -Name $roleName -Privilege (Get-VIPrivilege -Id $permissions)
Write-Output "Role '$roleName' created successfully with necessary permissions."

Step 4: Verify and Disconnect After creating the role, it’s good practice to verify that the role has been created with the correct permissions. Then, ensure you disconnect from your vCenter server securely:

Disconnect-VIServer -Server $vcServer -Confirm:$false

Step 5: Put it all together

$vcServer = 'vcenter.yourdomain.com'
$username = 'administrator@yourdomain.com'
$password = 'yourPassword'
Connect-VIServer -Server $vcServer -User $username -Password $password
$roleName = "Aria Automation Custom Role"
$permissions = @(
    "System.Anonymous",
    "System.View",
    "System.Read",
    "Global.ManageCustomFields",
    "Global.SetCustomField",
    "Folder.Create",
    "Folder.Delete",
    "Datastore.Browse",
    "Datastore.FileManagement",
    "Datastore.AllocateSpace",
    "Network.Assign",
    "VirtualMachine.Inventory.Create",
    "VirtualMachine.Inventory.CreateFromExisting",
    "VirtualMachine.Inventory.Delete",
    "VirtualMachine.Inventory.Move",
    "VirtualMachine.Interact.PowerOn",
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Interact.Suspend",
    "VirtualMachine.Interact.Reset",
    "VirtualMachine.Interact.ConsoleInteract",
    "VirtualMachine.Interact.DeviceConnection",
    "VirtualMachine.Interact.SetCDMedia",
    "VirtualMachine.Interact.ToolsInstall",
    "VirtualMachine.Config.Rename",
    "VirtualMachine.Config.Annotation",
    "VirtualMachine.Config.AddExistingDisk",
    "VirtualMachine.Config.AddNewDisk",
    "VirtualMachine.Config.RemoveDisk",
    "VirtualMachine.Config.CPUCount",
    "VirtualMachine.Config.Memory",
    "VirtualMachine.Config.AddRemoveDevice",
    "VirtualMachine.Config.EditDevice",
    "VirtualMachine.Config.Settings",
    "VirtualMachine.Config.Resource",
    "VirtualMachine.Config.AdvancedConfig",
    "VirtualMachine.Config.SwapPlacement",
    "VirtualMachine.Config.DiskExtend",
    "VirtualMachine.Config.ChangeTracking",
    "VirtualMachine.State.CreateSnapshot",
    "VirtualMachine.State.RevertToSnapshot",
    "VirtualMachine.State.RemoveSnapshot",
    "VirtualMachine.Provisioning.Customize",
    "VirtualMachine.Provisioning.Clone",
    "VirtualMachine.Provisioning.DeployTemplate",
    "VirtualMachine.Provisioning.CloneTemplate",
    "VirtualMachine.Provisioning.ReadCustSpecs",
    "Resource.AssignVMToPool",
    "Resource.HotMigrate",
    "Resource.ColdMigrate",
    "Authorization.ModifyPermissions",
    "VApp.ApplicationConfig",
    "VApp.Import",
    "StoragePod.Config",
    "InventoryService.Tagging.AttachTag",
    "InventoryService.Tagging.ModifyUsedByForCategory",
    "ContentLibrary.EvictLibraryItem",
    "InventoryService.Tagging.DeleteCategory",
    "ContentLibrary.TypeIntrospection",
    "ContentLibrary.GetConfiguration",
    "InventoryService.Tagging.EditTag",
    "ContentLibrary.UpdateSession",
    "ContentLibrary.UpdateLibrary",
    "InventoryService.Tagging.ModifyUsedByForTag",
    "ContentLibrary.SyncLibraryItem",
    "ContentLibrary.UpdateSubscribedLibrary",
    "ContentLibrary.UpdateLibraryItem",
    "ContentLibrary.DeleteLibraryItem",
    "InventoryService.Tagging.CreateTag",
    "InventoryService.Tagging.DeleteTag",
    "ContentLibrary.SyncLibrary",
    "ContentLibrary.UpdateConfiguration",
    "ContentLibrary.DownloadSession",
    "ContentLibrary.DeleteLocalLibrary",
    "InventoryService.Tagging.ObjectAttachable",
    "ContentLibrary.EvictSubscribedLibrary",
    "ContentLibrary.DeleteSubscribedLibrary",
    "ContentLibrary.CreateSubscribedLibrary",
    "ContentLibrary.UpdateLocalLibrary",
    "InventoryService.Tagging.EditCategory",
    "InventoryService.Tagging.CreateCategory",
    "ContentLibrary.ProbeSubscription",
    "ContentLibrary.ReadStorage",
    "ContentLibrary.AddLibraryItem",
    "ContentLibrary.CreateLocalLibrary")
New-VIRole -Name $roleName -Privilege (Get-VIPrivilege -Id $permissions)
Write-Output "Role '$roleName' created successfully with necessary permissions."
Disconnect-VIServer -Server $vcServer -Confirm:$false

Conclusion Creating a custom role for the Aria Automation service account in vCenter is an essential step for securing and optimizing your automation tasks. By assigning precise permissions tailored to your needs, you can maintain a secure and efficient VMware environment.

Happy Automating!

This blog post offers a practical walkthrough for VMware professionals looking to customize and secure their VMware automation tools, ensuring a robust setup for extensive and complex automation tasks.