Restrict the VMware Aria Automation and VMware Aria Automation Orchestrator Service Accounts Access to the Management Domain for Private Cloud Automation for VMware Cloud Foundation

Restrict access for the VMware Aria Automation and VMware Aria Automation Orchestrator to vSphere integration service accounts to the management domain vCenter Server inventory.

This procedure is not applicable to VMware Cloud Foundation 5.x with isolated workload domains. You perform this procedure if your environment uses an earlier version of VMware Cloud Foundation.

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
From the Hosts and clusters inventory, select the management domain vCenter Server, and click the Permissions tab.
Select the service account for VMware Aria Automation to vSphere integration and click the Change role icon.
In the Change role dialog box, from the Role drop-down menu, select No Access, select the Propagate to children check box, and click OK.
Repeat steps 3 and 4 for the service account for VMware Aria Automation Orchestrator to vSphere integration.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$domainAlias = "SFO"
$assemblerServiceAccount = "svc-vra-vsphere"
$orchestratorServiceAccount = "svc-vro-vsphere"

Perform the configuration for the service account for VMware Aria Automation to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $assemblerServiceAccount -role "NoAccess"

Perform the configuration for the service account for VMware Aria Automation Orchestrator to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $orchestratorServiceAccount -role "NoAccess"