To configure and work with cloud accounts in VMware Aria Automation, verify that you have the following credentials.
Required overall credentials
To... | You need... |
---|---|
Sign up for and log in to Automation Assembler |
A VMware ID.
|
Connect to VMware Aria Automation services |
HTTPS port 443 open to outgoing traffic with access through the firewall to:
For more information about ports and protocols, see VMware Ports and Protocols. For more information about ports and protocols, see Port Requirements in the Reference Architecture help. |
vCenter cloud account credentials
This section describes the credentials that are required to add a vCenter cloud account.
- vCenter IP address or FQDN
The permissions needed to manage VMware Cloud on AWS and vCenter cloud accounts are listed. Permissions must be enabled for all clusters in the vCenter, not just clusters that host endpoints.
To support control of VMware's Virtual Trusted Platform Module (vTPM) when deploying Windows 11 VMs, you must have the cryptographic operations -> direct access privilege in vCenter. Without this privilege, console access from VMware Aria Automation to Windows 11 VMs is not possible. For related information, see Virtual Trusted Platform Module Overview.
For all vCenter-based cloud accounts - including NSX-V, NSX-T, vCenter, and VMware Cloud on AWS - the administrator must have vSphere endpoint credentials, or the credentials under which the agent service runs in vCenter, that provide administrative access to the host vCenter.
Setting | Selection |
---|---|
Content library To assign a privilege on a content library, an administrator must grant the privilege to the user as a global privilege. For related information, see Hierarchical Inheritance of Permissions for Content Libraries in vSphere Virtual Machine Administration at VMware vSphere Documentation. |
|
Datastore |
|
Datastore cluster |
|
Folder |
|
Global |
|
Network |
|
Permissions |
|
Profile-driven storage |
|
Resource |
|
vApp |
|
Virtual machine |
Change Configuration
Edit Inventory
Interaction
Provisioning
Snapshot management
|
vSphere Tagging |
|
Amazon Web Services (AWS) cloud account credentials
This section describes the credentials that are required to add a Amazon Web Services cloud account. See the above vCenter cloud account credentials section for addition credential requirements.
Provide a power user account with read and write privileges. The user account must be a member of the power access policy (PowerUserAccess) in the AWS Identity and Access Management (IAM) system.
Enable the 20-digit Access Key ID and corresponding Secret Access Key access.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
Setting | Selection |
---|---|
Autoscaling actions | The following AWS permissions are suggested to allow autoscaling functions:
|
Autoscaling resources | The following permissions are required to allow autoscaling resource permissions:
|
AWS Security Token Service (AWS STS) resources | The following permissions are required to allow AWS Security Token Service (AWS STS) functions to support temporary, limited-privilege credentials for AWS identity and access:
|
EC2 actions | The following AWS permissions are required to allow EC2 functions:
|
EC2 resources |
|
Elastic load balancing - load balancer actions |
|
Elastic load balancing - load balancer resources |
|
AWS Identity and Access Management (IAM) |
The following AWS Identity and Access Management (IAM) permissions can be enabled, however they are not required:
|
Microsoft Azure cloud account credentials
This section describes the credentials that are required to add a Microsoft Azure cloud account.
Configure a Microsoft Azure instance and obtain a valid Microsoft Azure subscription from which you can use the subscription ID.
Create an Active Directory application as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in Microsoft Azure product documentation.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
- General settings
The following overall settings are required.
Setting Description Subscription ID Allows you to access to your Microsoft Azure subscriptions. Tenant ID The authorization endpoint for the Active Directory applications you create in your Microsoft Azure account. Client application ID Provides access to Microsoft Active Directory in your Microsoft Azure individual account. Client application secret key The unique secret key generated to pair with your client application ID. - Settings for creating and validating cloud accounts
The following permissions are needed for creating and validating Microsoft Azure cloud accounts.
Setting Selection Microsoft Compute - Microsoft.Compute/virtualMachines/extensions/write
- Microsoft.Compute/virtualMachines/extensions/read
- Microsoft.Compute/virtualMachines/extensions/delete
- Microsoft.Compute/virtualMachines/deallocate/action
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Compute/virtualMachines/powerOff/action
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachines/restart/action
- Microsoft.Compute/virtualMachines/start/action
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/availabilitySets/write
- Microsoft.Compute/availabilitySets/read
- Microsoft.Compute/availabilitySets/delete
- Microsoft.Compute/disks/delete
- Microsoft.Compute/disks/read
- Microsoft.Compute/disks/write
Microsoft Network - Microsoft.Network/loadBalancers/backendAddressPools/join/action
- Microsoft.Network/loadBalancers/delete
- Microsoft.Network/loadBalancers/read
- Microsoft.Network/loadBalancers/write
- Microsoft.Network/networkInterfaces/join/action
- Microsoft.Network/networkInterfaces/read
- Microsoft.Network/networkInterfaces/write
- Microsoft.Network/networkInterfaces/delete
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkSecurityGroups/read
- Microsoft.Network/networkSecurityGroups/write
- Microsoft.Network/networkSecurityGroups/delete
- Microsoft.Network/publicIPAddresses/delete
- Microsoft.Network/publicIPAddresses/join/action
- Microsoft.Network/publicIPAddresses/read
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/subnets/delete
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/read
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/virtualNetworks/write
Microsoft Resources - Microsoft.Resources/subscriptions/resourcegroups/delete
- Microsoft.Resources/subscriptions/resourcegroups/read
- Microsoft.Resources/subscriptions/resourcegroups/write
Microsoft Storage - Microsoft.Storage/storageAccounts/delete
- Microsoft.Storage/storageAccounts/read
-
Microsoft.Storage/storageAccounts/write
-
Microsoft.Storage/storageAccounts/listKeys/action is not generally required, but may be needed by users to view storage accounts.
Microsoft Web - Microsoft.Web/sites/read
- Microsoft.Web/sites/write
- Microsoft.Web/sites/delete
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/publishxml/action
- Microsoft.Web/serverfarms/write
- Microsoft.Web/serverfarms/delete
- Microsoft.Web/sites/hostruntime/functions/keys/read
- Microsoft.Web/sites/hostruntime/host/read
- Microsoft.web/sites/functions/masterkey/read
- Settings for action-based extensibility
If you are using Microsoft Azure with action-based extensibility, the following permissions are required, in addition to the minimal permissions.
Setting Selection Microsoft Web - Microsoft.Web/sites/read
- Microsoft.Web/sites/write
- Microsoft.Web/sites/delete
- Microsoft.Web/sites/*/action
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/publishxml/action
- Microsoft.Web/serverfarms/write
- Microsoft.Web/serverfarms/delete
- Microsoft.Web/sites/hostruntime/functions/keys/read
- Microsoft.Web/sites/hostruntime/host/read
- Microsoft.Web/sites/functions/masterkey/read
- Microsoft.Web/apimanagementaccounts/apis/read
Microsoft Authorization - Microsoft.Authorization/roleAssignments/read
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
Microsoft Insights - Microsoft.Insights/Components/Read
- Microsoft.Insights/Components/Write
- Microsoft.Insights/Components/Query/Read
- Settings for action-based extensibility with extensions
If you are using Microsoft Azure with action-based extensibility with extensions, the following permissions are also required.
Setting Selection Microsoft.Compute - Microsoft.Compute/virtualMachines/extensions/write
- Microsoft.Compute/virtualMachines/extensions/read
- Microsoft.Compute/virtualMachines/extensions/delete
For related information about creating a Microsoft Azure cloud account, see Configure Microsoft Azure.
Google Cloud Platform (GCP) cloud account credentials
This section describes the credentials that are required to add a Google Cloud Platform cloud account.
The Google Cloud Platform cloud account interacts with the Google Cloud Platform compute engine.
The Project Admin and Owner credentials are required for creating and validating Google Cloud Platform cloud accounts.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
The compute engine service must be enabled. When creating the cloud account in VMware Aria Automation, use the service account that was created when the compute engine was initialized.
Setting | Selection |
---|---|
roles/compute.admin |
Provides full control of all compute engine resources. |
roles/iam.serviceAccountUse |
Provides access to users who manage virtual machine instances that are configured to run as a service account. Grant access to the following resources and services:
|
roles/compute.imageUser |
Provides permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project. It also allows users to create resources, such as instances and persistent disks, based on images in the project.
|
roles/compute.instanceAdmin |
Provides permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure shielded VMBETA settings. For users that manage virtual machine instances (but not network or security settings or instances that run as service accounts), grant this role to the organization, folder, or project that contains the instances, or to the individual instances. Users that manage virtual machine instances that are configured to run as a service account also need the roles/iam.serviceAccountUser role.
|
roles/compute.instanceAdmin.v1 |
Provides full control of compute engine instances, instance groups, disks, snapshots, and images. Also provides read access to all compute engine networking resources.
Note: If you grant a user this role at the instance level, that user cannot create new instances.
|
NSX-T cloud account credentials
This section describes the credentials that are required to add an NSX-T cloud account.
As of NSX-T Data Center 3.1, custom roles are supported.
- NSX-T IP address or FQDN
- NSX-T Data Center - Enterprise Administrator role and access credentials
The auditor role is required.
Category/Subcategory | Permission |
---|---|
Networking - Tier-0 Gateways | Read-only |
Networking - Tier-0 Gateways -> OSPF | None |
Networking - Tier-1 Gateways | Full Access |
Networking - Segments | Full Access |
Networking - VPN | None |
Networking - NAT | Full Access |
Networking - Load Balancing | Full Access |
Networking - Forwarding Policy | None |
Networking - Statistics | None |
Networking - DNS | None |
Networking - DHCP | Full Access |
Networking - IP Address Pools | None |
Networking - Profiles | Read-only |
Security - Threat Detection & Response | None |
Security - Distributed Firewall | Full Access |
Security - IDS/IPS & Malware Prevention | None |
Security - TLS Inspection | None |
Security - Identity Firewall | None |
Security - Gateway Firewall | None |
Security - Service Chain Management | None |
Security - Firewall Time Window | None |
Security - Profiles | None |
Security - Service Profiles | None |
Security - Firewall Settings | Full Access |
Security - Gateway Security Settings | None |
Inventory | Full Access |
Troubleshooting | None |
System | None |
Administrators also require access to the vCenter as described in the vCenter cloud account credentials section of this topic.
NSX-V cloud account credentials
This section describes the credentials that are required to add an NSX-V cloud account.
- NSX-V Enterprise Administrator role and access credentials
- NSX-V IP address or FQDN
Administrators also require access to the vCenter as described in the Add a vCenter cloud account section of this table.
VMware Cloud on AWS (VMC on AWS) cloud account credentials
This section describes the credentials that are required to add an VMware Cloud on AWS (VMC on AWS) cloud account.
- The [email protected] account or any user account in the CloudAdmin group
- NSX Enterprise Administrator role and access credentials
- NSX Cloud Admin access to your organization's VMware Cloud on AWS SDDC environment
- Administrator access to your organization's VMware Cloud on AWS SDDC environment
- The VMware Cloud on AWS API token for your VMware Cloud on AWS environment in your organization's VMware Cloud on AWS service
- vCenter IP address or FQDN
Administrators also require access to the vCenter as described in the Add a vCenter cloud account section of this table.
For more information about the permissions needed to create and use VMware Cloud on AWS cloud accounts, see Managing the VMware Cloud on AWS Data Center in VMware Cloud on AWS product documentation.
VMware Cloud Director (vCD) cloud account credentials
This section describes the credentials that are required to add a VMware Cloud Director (vCD) cloud account.
Setting | Selection |
---|---|
Access All Organization vDCs | All |
Catalog |
|
General |
|
Metadata File Entry | Create/Modify |
Organization Network |
|
Organization vDC Gateway |
|
Organization vDC |
|
Organization |
|
Quota Policy Capabilities | View |
VDC Template |
|
vApp Template / Media |
|
vApp Template |
|
vApp |
|
vDC Group |
|
VMware Aria Operations integration credentials
This section describes the credentials that are required to integrate with VMware Aria Operations. Note that these credentials are established and configured in VMware Aria Operations, not in VMware Aria Automation.
Provide a local or non-local login account to VMware Aria Operations with the following read privileges.
- Adapter Instance vCenter Adapter > VC Adapter Instance for vCenter-FQDN
A non-local account might need to be imported first, before you can assign its read-only role.
NSX integration with Microsoft Azure VMware Solution (AVS) for VMware Aria Automation
For information about connecting NSX running on Microsoft Azure VMware Solution (AVS) to VMware Aria Automation, including configuring custom roles, see NSX-T Data Center cloudadmin user permissions in Microsoft product documentation.