Friday, 11 February 2022

Registering VMware Cloud Disaster Recovery to vCenter with a restricted user account

A customer who is currently looking to deploy VMware Cloud Disaster Recovery (VCDR) globally recently asked about using a single active directory account with the minimum required permissions within vCenter as the account used to register their VCDR connectors to vCenter. For those who are new to VCDR, this is VMware's Disaster Recovery as a Service solution that offers on-demand disaster recovery with a very compelling total cost of ownership in comparison to on-premises.

The customer in question wanted to use a single active directory account across all their vCenters globally and didn't want to add the active directory

account to the local administrator's group within vCenter. They like to operate using least privilege and only give the service account the permissions required to do its job. Luckily VCDR has the ability to create a role with the required permissions for you using the connector CLI.

I'm going to assume that your VCDR Orchestrator, Scale-out Cloud Filesystem, and connector(s) have been deployed on-premises already. Since all connectors are the same we only need access to one. You can obtain the username and password for the connector via the VCDR Orchestrator:

Once you have SSH'd into one of the connectors you can use the following command to create a new role called vcdr-failback-prvs

drc create-vcenter-user --vcenter <IP or DNS NAME> --admin-username administrator@vsphere.local --admin-password <PASSWORD> --new-username vcdr-failback-prvs --new-password vcdr-failback-prvs --vcenter-role vcdr-failback-prvs --create-role-only --failback-privs

This command will create a new role called vcdr-failback-prvs which has all the required permissions to snapshot, failover, and failback workloads. In the command, you do need to specify a new username and password but you can use the --create-role-only to only create the role and not the new local username and password. You would do this if you plan on using an Active Director account rather than a local account. If you would rather use a local vCenter account then you can remove the --create-role-only.

Once you run the command you should see it complete and the new role visible within vCenter

The command above has been truncated in the UI but it is the same command I've highlighted above.
We can now see that the new role has been created with the minimum required permissions. This can then be used within vCenter with the active directory user account. 

No comments:

Post a Comment