security

multi-clone.py minimal user permissions

multi-clone.py minimal user permissions

Half a year ago, I posted about a Python script I created using PySphere, called multi-clone.py. I used this script to quickly deploy multiple vm’s from the same template and do some post-processing. This allowed me to easily setup a lab environment to test any sort of cluster tool, configuration management tool, …

This tool has been picked up by some other people. I’m happy to see my work is useful to others. This also meant that I got the occasional question about it.

Last week someone came to me with an issue, he got strange error messages. At first I thought it might have been a version mismatch as the original script was developed using PySphere 0.1.7, and he was using PySphere 0.1.8. After a quick update on my end and testing it with PySphere 0.1.8, everything worked fine. I had the same vSphere version, the same PySphere version and I did the same command as he did. Sadly, I couldn’t reproduce the error.

At this point, all I could think of was a permissions error. So we tested if the user could create a template with the exact same information, using the web-client. It seemed he couldn’t.

All this got me thinking about the minimal security permissions a user needed to run my script in a vSphere environment. So I tested a few permission setups and came up with a minimal permissions list. I added this to the Github repository readme file, but decided to post it here as well.

All permissions are only necessary on their appropriate item. For instance: datastore permissions are only necessary for the datastores on which the template and VMs will be located (or cluster if a Storage DRS cluster), so you can limit access to only a certain set of datastores.

Minimal permissions necessary to run multi-clone.py and all it’s features

  • Datastore
    • Allocate space
  • Network
    • Assign Network
  • Resource
    • Apply recommendation
    • Assign virtual machine to resource pool
  • Scheduled task
    • Create tasks
    • Run task
  • Virtual Machine
    • Configuration
      • Add new disk
    • Interaction
      • Power on
    • Inventory
      • Create from existing
    • Provisioning
      • Clone virtual machine (*)
      • Deploy from template

(*) This is in case you want to use the script to clone an actual VM instead of a VM template