Automation

 View Only
  • 1.  Requirements for Using PowerCLI and vCO

    Posted Mar 24, 2014 03:42 PM


    As per this article:

    vCO PowerShell plug-in | VMware vCenter Orchestrator Blog - VMware Blogs

    I understand that I need to have a local Windows user account on the powershell host that will be used to run my powercli script from vCO when it connects through winRM.

    However, it doesn't say what permissions that account needs to have.  Does that need to be a local administrator account?  From a security perspective, If I follow the principle of "least privilege", what would be the Local Windows Group that I should assign this account to, that will still allow my powerCLI script to run?

    If the security team needs proof, are these required permissions documented anywhere?

    Thanks!



  • 2.  RE: Requirements for Using PowerCLI and vCO

    Posted Mar 24, 2014 04:35 PM

    If you are concerned about the security permissions wouldn't it then be better to go for "Per User Session" ?

    And it that case, the permissions of the logged on user determine what you can do via a PowerShell script in vCO ?

    The required permissions depend on what you want to do via vCO, and, in my understanding, there the same principles as for normal PowerCLI would play.



  • 3.  RE: Requirements for Using PowerCLI and vCO

    Posted Mar 24, 2014 06:22 PM

    ok - so I'm not sure I know which option I want.  For example, right now I'm running the workflow to "Add a PowerShell Host" in vCO. 

    I can choose a session mode of "Session Per User" or "Shared Session".  If I choose "Session Per User" when adding a powershell host, is that host still added when someone else tries to run a powershell workflow? 



  • 4.  RE: Requirements for Using PowerCLI and vCO

    Posted Mar 24, 2014 07:24 PM

    As far as I understand it, these are 2 different things.

    The setup of the PowerShell host is one thing, that is done via the account you are running the vCO with when you add it.

    The running of scripts via this PowerShell host in Per User Session is done with the account that triggers the flow that has the PowerShell script.

    Btw, I would go for Kerberos authentication.

    See [vCO PowerShell plugin] How to set up and use Kerberos authentication



  • 5.  RE: Requirements for Using PowerCLI and vCO

    Posted Mar 24, 2014 10:14 PM

    OK great.  Kerberos Authentication looks like a cleaner solution, and would solve my problem, which is having to create a local Windows User account just to add the powershell host to vCO.  However, the problem is that the setup for Kerberos looks very confusing.  It isn't clear exactly what is supposed to be in the Kerboeros krb5.conf file.  It looks like I could spend hours trying to figure that out.  The example in the post doesn't really explain it fully, it points you to another reference, which is not clear at all.

    Is there a short, concise example of a krb5.conf file, design specifically for an enviornment with VCO and Active Directory, where VCO is connecting to a powershell host, that someone has made to work successfully?



  • 6.  RE: Requirements for Using PowerCLI and vCO

    Posted Mar 25, 2014 06:20 AM