| 注册并登录到 vRealize Automation Cloud Assembly |
VMware ID。
|
| 连接到 vRealize Automation 服务 |
对出站流量打开并具有透过防火墙对以下域的访问权限的 HTTPS 端口 443:
- *.vmwareidentity.com
- gaz.csp-vidm-prod.com
- *.vmware.com
有关端口和协议的详细信息,请参见 VMware 端口和协议。 有关所需端口和协议的相关信息,请参见端口要求。 |
| 添加 Amazon Web Services (AWS) 云帐户 |
提供具有读取和写入权限的超级用户帐户。用户帐户必须是 AWS 标识与访问管理 (IAM) 系统中的电源访问策略 (PowerUserAccess) 的成员。
如果您使用的是外部 HTTP Internet 代理,则必须针对 IPv4 对其进行配置。 vRealize Automation 基于操作的可扩展性 (ABX) 和外部 IPAM 集成可能需要额外的权限。
要允许 Auto Scaling 功能,建议具备以下 AWS 权限:
- Auto Scaling 操作:
- autoscaling:DescribeAutoScalingInstances
- autoscaling:AttachInstances
- autoscaling:DeleteLaunchConfiguration
- autoscaling:DescribeAutoScalingGroups
- autoscaling:CreateAutoScalingGroup
- autoscaling:UpdateAutoScalingGroup
- autoscaling:DeleteAutoScalingGroup
- autoscaling:DescribeLoadBalancers
- Auto Scaling 资源:
要允许 AWS Security Token Service (AWS STS) 功能对 AWS 身份和访问支持临时、有限特权凭据,需要具备以下权限:
要允许 EC2 功能,需要具备以下 AWS 权限:
要允许弹性负载均衡功能,需要具备以下 AWS 权限:
- 负载均衡器操作:
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:RemoveTags
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:DescribeTags
- elasticloadbalancing:ConfigureHealthCheck
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteLoadBalancerListeners
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:CreateLoadBalancerListeners
- 负载均衡器资源:
可以启用以下 AWS 身份与访问管理 (IAM) 权限,但这些权限不是必需权限:
- iam:SimulateCustomPolicy
- iam:GetUser
- iam:ListUserPolicies
- iam:GetUserPolicy
- iam:ListAttachedUserPolicies
- iam:GetPolicyVersion
- iam:ListGroupsForUser
- iam:ListGroupPolicies
- iam:GetGroupPolicy
- iam:ListAttachedGroupPolicies
- iam:ListPolicyVersions
|
| 添加 Microsoft Azure 云帐户 |
配置 Microsoft Azure 实例,并获取可以在其中使用订阅 ID 的有效 Microsoft Azure 订阅。 按照 Microsoft Azure 产品文档中的如何:使用门户创建可访问资源的 Azure AD 应用程序和服务主体所述创建 Active Directory 应用程序。 如果您使用的是外部 HTTP Internet 代理,则必须针对 IPv4 对其进行配置。
记录以下信息:
- 订阅 ID
允许您访问 Microsoft Azure 订阅。
- 租户 ID
在 Microsoft Azure 帐户中创建的 Active Directory 应用程序的授权端点。
- 客户端应用程序 ID
用于访问 Microsoft Azure 个人帐户中的 Microsoft Active Directory。
- 客户端应用程序密钥
生成的唯一的密钥,用于与客户端应用程序 ID 配对。
创建和验证
Microsoft Azure 云帐户需要以下权限:
- Microsoft 计算
- Microsoft.Compute/virtualMachines/extensions/write
- Microsoft.Compute/virtualMachines/extensions/read
- Microsoft.Compute/virtualMachines/extensions/delete
- Microsoft.Compute/virtualMachines/deallocate/action
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Compute/virtualMachines/powerOff/action
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachines/restart/action
- Microsoft.Compute/virtualMachines/start/action
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/availabilitySets/write
- Microsoft.Compute/availabilitySets/read
- Microsoft.Compute/availabilitySets/delete
- Microsoft.Compute/disks/delete
- Microsoft.Compute/disks/read
- Microsoft.Compute/disks/write
- Microsoft 网络
- Microsoft.Network/loadBalancers/backendAddressPools/join/action
- Microsoft.Network/loadBalancers/delete
- Microsoft.Network/loadBalancers/read
- Microsoft.Network/loadBalancers/write
- Microsoft.Network/networkInterfaces/join/action
- Microsoft.Network/networkInterfaces/read
- Microsoft.Network/networkInterfaces/write
- Microsoft.Network/networkInterfaces/delete
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkSecurityGroups/read
- Microsoft.Network/networkSecurityGroups/write
- Microsoft.Network/networkSecurityGroups/delete
- Microsoft.Network/publicIPAddresses/delete
- Microsoft.Network/publicIPAddresses/join/action
- Microsoft.Network/publicIPAddresses/read
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/subnets/delete
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/read
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/virtualNetworks/write
- Microsoft 资源
- Microsoft.Resources/subscriptions/resourcegroups/delete
- Microsoft.Resources/subscriptions/resourcegroups/read
- Microsoft.Resources/subscriptions/resourcegroups/write
- Microsoft 存储
- Microsoft Web
- Microsoft.Web/sites/read
- Microsoft.Web/sites/write
- Microsoft.Web/sites/delete
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/publishxml/action
- Microsoft.Web/serverfarms/write
- Microsoft.Web/serverfarms/delete
- Microsoft.Web/sites/hostruntime/functions/keys/read
- Microsoft.Web/sites/hostruntime/host/read
- Microsoft.web/sites/functions/masterkey/read
如果要将
Microsoft Azure 与基于操作的可扩展性配合使用,除了最小权限外,还需要以下权限:
- Microsoft.Web/sites/read
- Microsoft.Web/sites/write
- Microsoft.Web/sites/delete
- Microsoft.Web/sites/*/action
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/publishxml/action
- Microsoft.Web/serverfarms/write
- Microsoft.Web/serverfarms/delete
- Microsoft.Web/sites/hostruntime/functions/keys/read
- Microsoft.Web/sites/hostruntime/host/read
- Microsoft.Web/sites/functions/masterkey/read
- Microsoft.Web/apimanagementaccounts/apis/read
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
如果要将
Microsoft Azure 与包含扩展的基于操作的可扩展性配合使用,还需要以下权限:
- Microsoft.Compute/virtualMachines/extensions/write
- Microsoft.Compute/virtualMachines/extensions/read
- Microsoft.Compute/virtualMachines/extensions/delete
|
| 添加 Google Cloud Platform (GCP) 云帐户 |
Google Cloud Platform 云帐户与 Google Cloud Platform 计算引擎交互。 创建和验证 Google Cloud Platform 云帐户需要项目管理员和所有者凭据。 如果您使用的是外部 HTTP Internet 代理,则必须针对 IPv4 对其进行配置。 必须启用计算引擎服务。在 vRealize Automation 中创建云帐户时,请使用在初始化计算引擎时创建的服务帐户。 还需要以下计算引擎权限,具体取决于用户可以执行的操作:
- roles/compute.admin
用于完全控制所有计算引擎资源。
- roles/iam.serviceAccountUser
用于访问管理已配置为作为服务帐户运行的虚拟机实例的用户。授予对以下资源和服务的访问权限:
- compute.*
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- roles/compute.imageUser
提供列出和读取映像的权限,而无需对映像具有其他权限。在项目级别授予 compute.imageUser 角色,使用户能够列出项目中的所有映像。它还允许用户根据项目中的映像创建实例和永久磁盘等资源。
- compute.images.get
- compute.images.getFromFamily
- compute.images.list
- compute.images.useReadOnly
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- roles/compute.instanceAdmin
提供创建、修改和删除虚拟机实例的权限。这包括创建、修改和删除磁盘以及配置受防护 VMBETA 设置的权限。 对于管理虚拟机实例(但不是网络或安全设置或作为服务帐户运行的实例)的用户,将此角色授予包含实例的组织、文件夹或项目,或者授予单个实例。 管理已配置为作为服务帐户运行的虚拟机实例的用户还需要 roles/iam.serviceAccountUser 角色。
- compute.acceleratorTypes
- compute.addresses.get
- compute.addresses.list
- compute.addresses.use
- compute.autoscalers
- compute.diskTypes
- compute.disks.create
- compute.disks.createSnapshot
- compute.disks.delete
- compute.disks.get
- compute.disks.list
- compute.disks.resize
- compute.disks.setLabels
- compute.disks.update
- compute.disks.use
- compute.disks.useReadOnly
- compute.globalAddresses.get
- compute.globalAddresses.list
- compute.globalAddresses.use
- compute.globalOperations.get
- compute.globalOperations.list
- compute.images.get
- compute.images.getFromFamily
- compute.images.list
- compute.images.useReadOnly
- compute.instanceGroupManagers
- compute.instanceGroups
- compute.instanceTemplates
- compute.instances
- compute.licenses.get
- compute.licenses.list
- compute.machineTypes
- compute.networkEndpointGroups
- compute.networks.get
- compute.networks.list
- compute.networks.use
- compute.networks.useExternalIp
- compute.projects.get
- compute.regionOperations.get
- compute.regionOperations.list
- compute.regions
- compute.reservations.get
- compute.reservations.list
- compute.subnetworks.get
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.targetPools.get
- compute.targetPools.list
- compute.zoneOperations.get
- compute.zoneOperations.list
- compute.zones
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
- roles/compute.instanceAdmin.v1
用于完全控制计算引擎实例、实例组、磁盘、快照和映像。还提供对所有计算引擎网络资源的读取访问权限。
注: 如果在实例级别为用户授予此角色,则该用户无法创建新的实例。
- compute.acceleratorTypes
- compute.addresses.get
- compute.addresses.list
- compute.addresses.use
- compute.autoscalers
- compute.backendBuckets.get
- compute.backendBuckets.list
- compute.backendServices.get
- compute.backendServices.list
- compute.diskTypes
- compute.disks
- compute.firewalls.get
- compute.firewalls.list
- compute.forwardingRules.get
- compute.forwardingRules.list
- compute.globalAddresses.get
- compute.globalAddresses.list
- compute.globalAddresses.use
- compute.globalForwardingRules.get
- compute.globalForwardingRules.list
- compute.globalOperations.get
- compute.globalOperations.list
- compute.healthChecks.get
- compute.healthChecks.list
- compute.httpHealthChecks.get
- compute.httpHealthChecks.list
- compute.httpsHealthChecks.get
- compute.httpsHealthChecks.list
- compute.images
- compute.instanceGroupManagers
- compute.instanceGroups
- compute.instanceTemplates
- compute.instances
- compute.interconnectAttachments.get
- compute.interconnectAttachments.list
- compute.interconnectLocations
- compute.interconnects.get
- compute.interconnects.list
- compute.licenseCodes
- compute.licenses
- compute.machineTypes
- compute.networkEndpointGroups
- compute.networks.get
- compute.networks.list
- compute.networks.use
- compute.networks.useExternalIp
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
- compute.regionBackendServices.get
- compute.regionBackendServices.list
- compute.regionOperations.get
- compute.regionOperations.list
- compute.regions
- compute.reservations.get
- compute.reservations.list
- compute.resourcePolicies
- compute.routers.get
- compute.routers.list
- compute.routes.get
- compute.routes.list
- compute.snapshots
- compute.sslCertificates.get
- compute.sslCertificates.list
- compute.sslPolicies.get
- compute.sslPolicies.list
- compute.sslPolicies.listAvailableFeatures
- compute.subnetworks.get
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.targetHttpProxies.get
- compute.targetHttpProxies.list
- compute.targetHttpsProxies.get
- compute.targetHttpsProxies.list
- compute.targetInstances.get
- compute.targetInstances.list
- compute.targetPools.get
- compute.targetPools.list
- compute.targetSslProxies.get
- compute.targetSslProxies.list
- compute.targetTcpProxies.get
- compute.targetTcpProxies.list
- compute.targetVpnGateways.get
- compute.targetVpnGateways.list
- compute.urlMaps.get
- compute.urlMaps.list
- compute.vpnTunnels.get
- compute.vpnTunnels.list
- compute.zoneOperations.get
- compute.zoneOperations.list
- compute.zones
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
|
| 添加 NSX-T 云帐户 |
提供具有以下读取和写入权限的帐户:
- NSX-T 企业级管理员角色和访问凭据
- NSX-T IP 地址或 FQDN
管理员还需要访问 vCenter Server,如此页面上以下“基于 vCenter 的云帐户的 vSphere 代理要求”部分中所述。 |
| 添加 NSX-V 云帐户 |
提供具有以下读取和写入权限的帐户:
- NSX-V 企业级管理员角色和访问凭据
- NSX-V IP 地址或 FQDN
管理员还需要访问 vCenter Server,如此页面上以下“基于 vCenter 的云帐户的 vSphere 代理要求”部分中所述。 |
| 添加 vCenter 云帐户 |
管理员还需要访问 vCenter Server,如此页面上以下“基于 vCenter 的云帐户的 vSphere 代理要求”部分中所述。 |
| 添加 VMware Cloud on AWS (VMC) 云帐户 |
提供具有以下读取和写入权限的帐户:
- cloudadmin@vmc.local 帐户或 CloudAdmin 组中的任何用户帐户
- NSX 企业级管理员角色和访问凭据
- 对您组织的 VMware Cloud on AWS SDDC 环境的 NSX 云管理员访问权限
- 对您组织的 VMware Cloud on AWS SDDC 环境的管理员访问权限
- 您组织的 VMware Cloud on AWS 服务中的 VMware Cloud on AWS 环境的 VMware Cloud on AWS API 令牌
- vCenter IP 地址或 FQDN
管理员还需要访问您的目标 VMware Cloud on AWS SDDC 使用的 vCenter,它具有本页以下“基于 vSphere 的云帐户的 vCenter 代理要求”部分中列出的所有权限。 有关创建和使用 VMware Cloud on AWS 云帐户所需的权限的详细信息,请参见 VMware Cloud on AWS 产品文档中的管理 VMware Cloud on AWS 数据中心。 |
