VMware recommends that you follow these practices for creating secure IaaS user roles before installing VMware Tanzu Operations Manager.
The connection between Tanzu Operations Manager and IaaS providers requires IaaS accounts with appropriate permissions. These accounts act on behalf of the operator to access IaaS functionality, such as creating VMs, managing networks and storage, and other related services.
Tanzu Operations Manager and VMware Tanzu Application Service for VMs (TAS for VMs) can be configured with IaaS users in different ways, depending on your IaaS. Other product tiles and services might also use their own IaaS credentials. Refer to the documentation for those product tiles or services to configure them securely.
VMware recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role. In the event that someone gains access to credentials by mistake or through malicious intent, LPUs limit the scope of the breach. VMware recommends following best practices for the particular IaaS you are deploying.
IaaS | Guidelines |
---|---|
AWS | AWS permissions guidelines |
Azure | Preparing to deploy Tanzu Operations Manager on Azure. Use the minimum permissions necessary when creating your service principal. |
GCP | Use one account with the minimum permissions required to create desired GCP resources in your GCP project, then create a separate service account with the minimum permissions required to deploy TAS for VMs and other tiles. For more information about creating the service account, see Step 1: Set up IAM Service Accounts in Preparing to Deploy Tanzu Operations Manager on GCP. |
OpenStack | Use the principle of Least Privileged Users |
vSphere | See Installing Tanzu Operations Manager on vSphere. |