We are using AppVolumes Manager on several environments together with Horizon View. When we were deploying the first AppVolume Manager I was asked to provide permissions for AppVolume Manager to local ESXi hosts to avoid using root permissions. There are guides which you can use to setup all required permissions but you have to apply those permission to each ESXi Host that means you have to connect to each ESXi Host manually via host client and configure new user account, group and all required permissions. How boring it could be if you have 20-30 ESXi hosts? So, I prepared small script which is now the part of new deployments. It is also used if you have to add one or several ESXi hosts to existing clusters which are supposed to work with AppVolumes Manager.
Here is PowerCLI code. It will create “appvolumes” local account and “AppVolumes” group with required permissions. Put your environment specific information in variables:
$ESXiHostName -> FQDN or IP address of ESXi Host
$ESXiHostPass -> ESXi root password
$AppVolumesPass -> AppVolumes local account password
#Set parameters $ESXiHostName = "xxx.xxx.xxx.xxx" $ESXiHostPass = "VMware1!" $AppVolumesPass = "AppVol1!" #Run this command to connect to the ESXi host: Connect-VIServer -Protocol https -Server $ESXiHostName -User root -Password $ESXiHostPass #Run this command to add a new local user: New-VMHostAccount -Id appvolumes -Password $AppVolumesPass -Description "VMware App Volumes administration account" #Run this command to add a new role with dedicated permissions: New-VIRole -Name AppVolumes -Privilege "Allocate space" #Add permissions Set-VIRole -Role AppVolumes -AddPrivilege "Browse datastore" Set-VIRole -Role AppVolumes -AddPrivilege "Low level file operations" Set-VIRole -Role AppVolumes -AddPrivilege "Remove file" Set-VIRole -Role AppVolumes -AddPrivilege "Update virtual machine files" Set-VIRole -Role AppVolumes -AddPrivilege "Create folder" Set-VIRole -Role AppVolumes -AddPrivilege "Delete folder" Set-VIRole -Role AppVolumes -AddPrivilege "Cancel task" Set-VIRole -Role AppVolumes -AddPrivilege "Reconfigure virtual machine" Set-VIRole -Role AppVolumes -AddPrivilege "View and stop sessions" Set-VIRole -Role AppVolumes -AddPrivilege "Create task" Set-VIRole -Role AppVolumes -AddPrivilege "Add existing disk" Set-VIRole -Role AppVolumes -AddPrivilege "Add new disk" Set-VIRole -Role AppVolumes -AddPrivilege "Add or remove device" Set-VIRole -Role AppVolumes -AddPrivilege "Change resource" Set-VIRole -Role AppVolumes -AddPrivilege "Remove disk" Set-VIRole -Role AppVolumes -AddPrivilege "Settings" Set-VIRole -Role AppVolumes -AddPrivilege "Advanced" Set-VIRole -Role AppVolumes -AddPrivilege "Create new" Set-VIRole -Role AppVolumes -AddPrivilege "Move" Set-VIRole -Role AppVolumes -AddPrivilege "Register" Set-VIRole -Role AppVolumes -AddPrivilege "Remove" Set-VIRole -Role AppVolumes -AddPrivilege "Unregister" Set-VIRole -Role AppVolumes -AddPrivilege "Promote disks" #Run this command to assign a new role to the new user: New-VIPermission -Entity $ESXiHostName -Principal appvolumes -Role AppVolumes -Propagate:$true Disconnect-VIServer -Server $ESXiHostName
You can check created account and permissions by following commands (you need to remove last command Disconnect-VIServer from the script to keep connection to ESXi Host):
Get-VMHostAccount Get-VIRole
Yevgeniy Steblyanko
Latest posts by Yevgeniy Steblyanko (see all)
- VMware NSX VPN tunnels statistics collection with PowerShell - February 29, 2024
- vSphere & NSX: Active Directory over LDAPs authentication - February 3, 2022
- Export / Backup VMware NSX ESG/DLR configurations with PowerNSX (part 2, DLRs) - March 26, 2020
