vCenter Roles with LDAP credentials in VMware Cloud on AWS

3 minute read
Content level: Advanced

Clarifies the administrative permissions structure of VMC on AWS vCenter

Over the years I have run into various issues with customers trying to use LDAP credentials to perform various administrative tasks in their VMware Cloud on AWS vCenter Server. I have typically gotten around the problem by having them temporarily use cloudadmin@vmc.local to complete the administrative task. This is fine for many customers, but for a customer with strict auditing controls, you want to avoid using cloudadmin@vmc.local unless it's truly a break glass situation.

Here is a scenario one of my customers recently encountered.


You're a vSphere admin trying to replicate the permission set that cloudadmin@vmc.local has, granting an LDAP group the same level of access. You come into Global Permissions and find CloudAdminGroup is granted the CloudAdmin role Cloud Admin Global Permissions

You naturally expect to give users the same level of access by granting your LDAP group the same role in Global Permissions LDAP group global permissions


You attempt to log on to a vCenter Server utility with your LDAP credentials, and receive an error message saying it was unable to locate any virtual switches.

You switch to cloudadmin@vmc.local and the utility works.


You log in to vCenter as your LDAP user and can't find the distributed virtual switch.

Enter image description here

You log in to vCenter as cloudadmin@vmc.local, and you can see the distributed virtual switch.

Enter image description here


It is not as well-documented as it could be, but the local group CloudAdminGroup has additional privileges granted to it. There is a VMware KB article documenting the behavior Customer is missing permissions for a specific LDAP User/Group but Cloudadmin@vmc.local account has the required permissions. It is not possible to adjust the membership of CloudAdminGroup within vCenter, but the required API calls are documented.


You could make the raw API calls as demonstrated in the article. However, if you are not particularly API-savvy, Brad Snurka at VMware wrote a nifty PowerCLI script that will do it for you.

Download and run the PowerCLI script. Note that you must have PowerCLI installed in order to run the script.

Enter your VMC on AWS vCenter, and the cloudadmin@vmc.local password. Enter image description here

Run a GET command to list all LDAP groups in the CloudAdmin group. I have not run this in my lab before, so it shows up empty, as expected.

Enter image description here

Run an ADD command to add an LDAP group to the CloudAdmin group. Note that you must type in the full group@domain name of the group.

Enter image description here

Run another GET command to verify that the LDAP group is now visible

Enter image description here

Log in to the VMC on AWS vCenter Server as an LDAP user. The distributed virtual switch is now visible.

Enter image description here

profile pictureAWS
published 8 months ago1010 views