To configure and work with cloud accounts in Cloud Assembly, verify that you have the following credentials.

Required Cloud Account Credentials

To... You need...
Sign up for and log in to Cloud Assembly

A VMware ID.

  • Set up a My VMware account by using your corporate email address.
Connect to VMware Cloud Services services

HTTPS port 443 open to outgoing traffic with access through the firewall to:

  • *.vmwareidentity.com
  • gaz.csp-vidm-prod.com
  • *.vmware.com

Add an Amazon Web Services cloud account

Provide a power user account with read and write privileges.
  • 20-digit Access Key ID and corresponding Secret Access Key

Add a Microsoft Azure cloud account

Configure a Microsoft Azure instance and obtain a valid Microsoft Azure subscription from which you can use the subscription ID. See http://www.vaficionado.com/2016/11/using-new-microsoft-azure-endpoint-vrealize-automation-7-2/ for more information about configuring Microsoft Azure and obtaining a subscription ID.

Create an Active Directory application as described in https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal.

Make note of the following information:
  • Subscription ID

    Allows you to access to your Microsoft Azure subscriptions.

  • Tenant ID

    The authorization endpoint for the Active Directory applications you create in your Microsoft Azure account.

  • Client application ID

    Provides access to Microsoft Active Directory in your Microsoft Azure individual account.

  • Client application secret key

    The unique secret key generated to pair with your client application ID.

The following permissions are needed for creating and validating Microsoft Azure cloud accounts:
  • Microsoft Compute
    • Microsoft.Compute/virtualMachines/extensions/write
    • Microsoft.Compute/virtualMachines/extensions/read
    • Microsoft.Compute/virtualMachines/extensions/delete
    • Microsoft.Compute/virtualMachines/deallocate/action
    • Microsoft.Compute/virtualMachines/delete
    • Microsoft.Compute/virtualMachines/powerOff/action
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/restart/action
    • Microsoft.Compute/virtualMachines/start/action
    • Microsoft.Compute/virtualMachines/write
    • Microsoft.Compute/availabilitySets/write
    • Microsoft.Compute/availabilitySets/read
    • Microsoft.Compute/availabilitySets/delete
    • Microsoft.Compute/disks/delete
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/write
  • Microsoft Network
    • Microsoft.Network/loadBalancers/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/delete
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/loadBalancers/write
    • Microsoft.Network/networkInterfaces/join/action
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/networkInterfaces/write
    • Microsoft.Network/networkInterfaces/delete
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Network/networkSecurityGroups/read
    • Microsoft.Network/networkSecurityGroups/write
    • Microsoft.Network/networkSecurityGroups/delete
    • Microsoft.Network/publicIPAddresses/delete
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/publicIPAddresses/write
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/delete
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/virtualNetworks/write
  • Microsoft Resources
    • Microsoft.Resources/subscriptions/resourcegroups/delete
    • Microsoft.Resources/subscriptions/resourcegroups/read
    • Microsoft.Resources/subscriptions/resourcegroups/write
  • Microsoft Storage
    • Microsoft.Storage/storageAccounts/delete
    • Microsoft.Storage/storageAccounts/listKeys/action

    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Storage/storageAccounts/write

  • Microsoft Web
    • Microsoft.Web/sites/read
    • Microsoft.Web/sites/write
    • Microsoft.Web/sites/delete
    • Microsoft.Web/sites/config/read
    • Microsoft.Web/sites/config/write
    • Microsoft.Web/sites/config/list/action
    • Microsoft.Web/sites/publishxml/action
    • Microsoft.Web/serverfarms/write
    • Microsoft.Web/serverfarms/delete
    • Microsoft.Web/sites/hostruntime/functions/keys/read
    • Microsoft.Web/sites/hostruntime/host/read
    • Microsoft.web/sites/functions/masterkey/read
If you are using Microsoft Azure with action-based extensibility, the following permissions are required, in addition to the minimal permissions:
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/write
  • Microsoft.Web/sites/delete
  • Microsoft.Web/sites/config/read
  • Microsoft.Web/sites/config/write
  • Microsoft.Web/sites/config/list/action
  • Microsoft.Web/sites/publishxml/action
  • Microsoft.Web/serverfarms/write
  • Microsoft.Web/serverfarms/delete
  • Microsoft.Web/sites/hostruntime/functions/keys/read
  • Microsoft.Web/sites/hostruntime/host/read
  • Microsoft.web/sites/functions/masterkey/read
If you are using Microsoft Azure with action-based extensibility with extensions, the following permissions are also needed:
  • Microsoft.Compute/virtualMachines/extensions/write
  • Microsoft.Compute/virtualMachines/extensions/read
  • Microsoft.Compute/virtualMachines/extensions/delete

Add a Google Cloud Platform cloud account

The Google Cloud Platform cloud account interacts with the Google Cloud Platform compute engine.

The Project Admin and Owner credentials are required for creating and validating Google Cloud Platform cloud accounts.

The following compute engine permissions are also needed, depending on the actions that the user can take:

  • roles/compute.admin

    Provides full control of all compute engine resources.

  • roles/iam.serviceAccountUser
    Provides access to users who manage virtual machine instances that are configured to run as a service account. Grant access to the following resources and services:
    • compute.*
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • serviceusage.quotas.get
    • serviceusage.services.get
    • serviceusage.services.list
  • roles/compute.imageUser

    Provides permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project. It also allows users to create resources, such as instances and persistent disks, based on images in the project.

    • compute.images.get
    • compute.images.getFromFamily
    • compute.images.list
    • compute.images.useReadOnly
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • serviceusage.quotas.get
    • serviceusage.services.get
    • serviceusage.services.list
  • roles/compute.instanceAdmin

    Provides permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure shielded VMBETA settings.

    For users that manage virtual machine instances (but not network or security settings or instances that run as service accounts), grant this role to the organization, folder, or project that contains the instances, or to the individual instances.

    Users that manage virtual machine instances that are configured to run as a service account also need the roles/iam.serviceAccountUser role.

    • compute.acceleratorTypes
    • compute.addresses.get
    • compute.addresses.list
    • compute.addresses.use
    • compute.autoscalers
    • compute.diskTypes
    • compute.disks.create
    • compute.disks.createSnapshot
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.list
    • compute.disks.resize
    • compute.disks.setLabels
    • compute.disks.update
    • compute.disks.use
    • compute.disks.useReadOnly
    • compute.globalAddresses.get
    • compute.globalAddresses.list
    • compute.globalAddresses.use
    • compute.globalOperations.get
    • compute.globalOperations.list
    • compute.images.get
    • compute.images.getFromFamily
    • compute.images.list
    • compute.images.useReadOnly
    • compute.instanceGroupManagers
    • compute.instanceGroups
    • compute.instanceTemplates
    • compute.instances
    • compute.licenses.get
    • compute.licenses.list
    • compute.machineTypes
    • compute.networkEndpointGroups
    • compute.networks.get
    • compute.networks.list
    • compute.networks.use
    • compute.networks.useExternalIp
    • compute.projects.get
    • compute.regionOperations.get
    • compute.regionOperations.list
    • compute.regions
    • compute.reservations.get
    • compute.reservations.list
    • compute.subnetworks.get
    • compute.subnetworks.list
    • compute.subnetworks.use
    • compute.subnetworks.useExternalIp
    • compute.targetPools.get
    • compute.targetPools.list
    • compute.zoneOperations.get
    • compute.zoneOperations.list
    • compute.zones
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • serviceusage.quotas.get
    • serviceusage.services.get
    • serviceusage.services.list
  • roles/compute.instanceAdmin.v1
    Provides full control of compute engine instances, instance groups, disks, snapshots, and images. Also provides read access to all compute engine networking resources.
    Note: If you grant a user this role at the instance level, that user cannot create new instances.
    • compute.acceleratorTypes
    • compute.addresses.get
    • compute.addresses.list
    • compute.addresses.use
    • compute.autoscalers
    • compute.backendBuckets.get
    • compute.backendBuckets.list
    • compute.backendServices.get
    • compute.backendServices.list
    • compute.diskTypes
    • compute.disks
    • compute.firewalls.get
    • compute.firewalls.list
    • compute.forwardingRules.get
    • compute.forwardingRules.list
    • compute.globalAddresses.get
    • compute.globalAddresses.list
    • compute.globalAddresses.use
    • compute.globalForwardingRules.get
    • compute.globalForwardingRules.list
    • compute.globalOperations.get
    • compute.globalOperations.list
    • compute.healthChecks.get
    • compute.healthChecks.list
    • compute.httpHealthChecks.get
    • compute.httpHealthChecks.list
    • compute.httpsHealthChecks.get
    • compute.httpsHealthChecks.list
    • compute.images
    • compute.instanceGroupManagers
    • compute.instanceGroups
    • compute.instanceTemplates
    • compute.instances
    • compute.interconnectAttachments.get
    • compute.interconnectAttachments.list
    • compute.interconnectLocations
    • compute.interconnects.get
    • compute.interconnects.list
    • compute.licenseCodes
    • compute.licenses
    • compute.machineTypes
    • compute.networkEndpointGroups
    • compute.networks.get
    • compute.networks.list
    • compute.networks.use
    • compute.networks.useExternalIp
    • compute.projects.get
    • compute.projects.setCommonInstanceMetadata
    • compute.regionBackendServices.get
    • compute.regionBackendServices.list
    • compute.regionOperations.get
    • compute.regionOperations.list
    • compute.regions
    • compute.reservations.get
    • compute.reservations.list
    • compute.resourcePolicies
    • compute.routers.get
    • compute.routers.list
    • compute.routes.get
    • compute.routes.list
    • compute.snapshots
    • compute.sslCertificates.get
    • compute.sslCertificates.list
    • compute.sslPolicies.get
    • compute.sslPolicies.list
    • compute.sslPolicies.listAvailableFeatures
    • compute.subnetworks.get
    • compute.subnetworks.list
    • compute.subnetworks.use
    • compute.subnetworks.useExternalIp
    • compute.targetHttpProxies.get
    • compute.targetHttpProxies.list
    • compute.targetHttpsProxies.get
    • compute.targetHttpsProxies.list
    • compute.targetInstances.get
    • compute.targetInstances.list
    • compute.targetPools.get
    • compute.targetPools.list
    • compute.targetSslProxies.get
    • compute.targetSslProxies.list
    • compute.targetTcpProxies.get
    • compute.targetTcpProxies.list
    • compute.targetVpnGateways.get
    • compute.targetVpnGateways.list
    • compute.urlMaps.get
    • compute.urlMaps.list
    • compute.vpnTunnels.get
    • compute.vpnTunnels.list
    • compute.zoneOperations.get
    • compute.zoneOperations.list
    • compute.zones
    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • serviceusage.quotas.get
    • serviceusage.services.get
    • serviceusage.services.list

Add an NSX-T cloud account

Provide an account with the following read and write privileges:
  • NSX-T Enterprise Administrator role and access credentials
  • NSX-T IP address or FQDN
  • Permissions required to install a cloud proxy on the vCenter Server instance that manages this NSX-T instance

Administrators also require access to the vCenter Server as described in the following vSphere agent requirements for vCenter-based cloud accounts section on this page.

Add an NSX-V cloud account

Provide an account with the following read and write privileges:
  • NSX-V Enterprise Administrator role and access credentials
  • NSX-V IP address or FQDN
  • Permissions required to install a cloud proxy on the vCenter Server instance that manages this NSX-V instance

Administrators also require access to the vCenter Server as described in the following vSphere agent requirements for vCenter-based cloud accounts section on this page.

Add a vCenter cloud account

Provide an account with the following read and write privileges:
  • vCenter IP address or FQDN
  • Permissions required to install a cloud proxy on the vCenter Server

Administrators also require access to the vCenter Server as described in the following vSphere agent requirements for vCenter-based cloud accounts section on this page.

Add a VMware Cloud on AWS cloud account

Provide an account with the following read and write privileges:
  • The cloudadmin@vmc.local account or any user account in the CloudAdmin group
  • NSX Enterprise Administrator role and access credentials
  • NSX Cloud Admin access to your organization's VMware Cloud on AWS SDDC environment
  • Administrator access to your organization's VMware Cloud on AWS SDDC environment
  • The VMware Cloud on AWS API token for your VMware Cloud on AWS environment in your organization's VMware Cloud on AWS service
  • vCenter IP address or FQDN.
  • Permissions required to install a cloud proxy on the vCenter Server

Administrators also require access to the vCenter that is used by your target VMware Cloud on AWS SDDC that has all the permissions listed in the following vSphere agent requirements for vCenter-based cloud accounts section on this page.

For more information about the permissions needed to create and use VMware Cloud on AWS cloud accounts, see Privileges Reference for CloudAdmin and CloudGlobalAdmin in VMware Cloud on AWS product documentation.

vSphere agent requirements for vCenter-based cloud accounts

The following table lists the permissions needed to manage VMware Cloud on AWS and vCenter cloud accounts. The permissions must be enabled for all clusters in the vCenter Server, not just clusters that host endpoints.

For all vCenter Server-based cloud accounts - including NSX-V, NSX-T, vCenter, and VMware Cloud on AWS - the administrator must have vSphere endpoint credentials, or the credentials under which the agent service runs in vCenter, that provide administrative access to the host vCenter Server.

For more information about vSphere agent requirements, see VMware vSphere product documentation.

Table 1. Permissions Required for vSphere Agent to Manage vCenter Server Instance
Attribute Value Permission
Datastore
  • Allocate space
  • Browse datastore
Datastore Cluster Configure a datastore cluster
Folder
  • Create folder
  • Delete folder
Global
  • Manage custom attributes
  • Set custom attribute
Network Assign network
Permissions Modify permission
Resource
  • Assign VM to Res Pool
  • Migrate powered off virtual machine
  • Migrate powered on virtual machine
Content Library - Content Library Administrator
  • Add library item
  • Create local library
  • Create subscribed library
  • Delete library item
  • Delete local library
  • Delete subscribed library
  • Download files
  • Evict library item
  • Evict subscribed library
  • Probe subscription information
  • Read storage
  • Sync library item
  • Sync subscribed library
  • Type introspection
  • Update configuration settings
  • Update files
  • Update library
  • Update library item
  • Update local library
  • Update subscribed library
  • View configuration settings
Tags - Tagging Administrator
  • Assign or unassign vSphere tag
  • Create a vSphere tag
  • Create a vSphere tag category
  • Delete vSphere tag
  • Delete vSphere tag category
  • Edit vSphere tag
  • Edit vSphere tag category
  • Modify UsedBy field for category
  • Modify UsedBy field for tag
Virtual Machine - Inventory
  • Create from existing
  • Create new
  • Move
  • Remove
Virtual Machine - Interaction
  • Configure CD media
  • Console interaction
  • Device connection
  • Power off
  • Power on
  • Reset
  • Suspend
  • Tools install
Virtual Machine - Configuration
  • Add existing disk
  • Add new disk
  • Add or remove
  • Remove Disk
  • Advanced
  • Change CPU count
  • Change resource
  • Extend virtual disk
  • Disk change tracking
  • Memory
  • Modify device settings
  • Rename
  • Set annotation
  • Settings
  • Swapfile placement
Virtual Machine - Provisioning
  • Customize
  • Clone template
  • Clone virtual machine
  • Deploy template
  • Read customization specs
Virtual Machine - State
  • Create snapshot
  • Remove snapshot
  • Revert to snapshot