The CNS vSphere user must have specific privileges to perform operations related to Cloud Native Storage.

You can create several roles to assign sets of permissions on the objects that participate in the Cloud Native Storage environment.
Note: These roles need to be created only for generic Kubernetes clusters. If you work in the vSphere with Tanzu environment, use the Workload Storage Manager role for storage operations.

For more information about roles and permissions in vSphere, and how to create a role, see the vSphere Security documentation.

Role Name Privilege Name Description Required On
CNS-Datastore Datastore > Low level file operations Allows performing read, write, delete, and rename operations in the datastore browser. Shared datastore where persistent volumes reside.
CNS-HOST-CONFIG-STORAGE Host > Configuration > Storage partition configuration Allows vSAN datastore management. Required on a vSAN cluster with vSAN file service. Required for file volume only.
CNS-VM Virtual machine > Change Configuration > Add existing disk Allows adding an existing virtual disk to a virtual machine. All cluster node VMs.
Virtual Machine > Change Configuration > Add or remove device Allows addition or removal of any non-disk device.
CNS-SEARCH-AND-SPBM CNS > Searchable Allows storage administrator to see Cloud Native Storage UI. Root vCenter Server.
VM storage policies > View VM storage policies Allows viewing of defined storage policies.
Read-only Default role Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can find the shared datastore accessible to all node VMs.

For zone and topology-aware environments, all ancestors of node VMs, such as a host, cluster, and data center must have the Read-only role set for the vSphere user configured to use the CSI driver and CCM. This is required to allow reading tags and categories to prepare the nodes' topology.

All hosts where the nodes VMs reside

Data center