Automation

 View Only

Ansible playbook errors with permissions

  • 1.  Ansible playbook errors with permissions

    Posted Nov 10, 2022 09:43 AM

    Hello

    We are trying to run an ansible playbook from our ansible management server (not Tower) to our vCenter which is failing. The script is to clone an existing template to a VM and place it on a specific datastore and into a specific folder. I have set as restrictive permissions as possible, they are detailed below.

    If I complete the task by logging into vCenter with the ansible service account, I am able to complete the task successfully. However, when i run the playbook below, it fails with the following error:

    "msg": "Failed to clone virtual machine XXXXXXX to folder 'vim.Folder:group-v287685' due to permission issue: Permission to perform this operation was denied."

    If I give the user account administrator privileges over the whole vCenter the script works. Below is a subset of the script and i have commented on the permissions our service account has at that level.

    - name: Clone the template
    vmware_guest:
    hostname: "vCenter.xxxx.local" ***Service account has RO permissions to this object and its children
    username: "{{ credentials.vmware_username }}"
    password: "{{ credentials.vmware_password}}"
    datacenter: DC1X ***Service account has Administrator permissions to this object ONLY
    cluster: WCL1 ***Service account has Administrator permissions to this object and its children
    validate_certs: False
    name: "VM-{{ tier }}-{{ servertype }}{{ item.0 }}"
    template: "Template1" ***Service account has Administrator permissions to this object and its children
    datastore: "Datastore1" ***Service account has Administrator permissions to this object and its children
    folder: "Location/vm/Customer/Customer-Templates/" ***Service account has Administrator permissions to this object ONLY
    state: poweredon
    hardware:
    num_cpus: "{{ inventory[servertype].cpus }}"
    memory_mb: "{{ inventory[servertype].memory }}"
    networks:
    - name: "{{ network[tier][servertype].net_name }}"
    ip: "{{ item.1 }}"
    netmask: "{{ network[tier][servertype].gateway }}"
    gateway: "{{ network[tier][servertype].subnet }}"
    disk:
    - size_gb: "{{ network[tier][servertype].disk1 }}"
    unit_number: 0
    - size_gb: "{{ network[tier][servertype].disk2 }}"
    unit_number: 1
    loop: "{{ serv_sequence | product(ip_list) | list }}"


    Can someone please tell us what we need to add to allow the service account to clone the VM via the script when it works via the GUI?

    Thanks
    Sam