WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Hardware Options
    • Hardware Reviews
    • Lab Deployment Scripts
    • Nested Virtualization
    • Homelab Podcasts
  • VMware Nostalgia
  • Apple
You are here: Home / VMware Tanzu / Quick Tip - Accessing the VM Console for VMs deployed using vSphere with Tanzu VM Service

Quick Tip - Accessing the VM Console for VMs deployed using vSphere with Tanzu VM Service

05.20.2021 by William Lam // 2 Comments

One constraint of the new vSphere with Tanzu VM Service, which was introduced in vSphere 7.0 Update 2a is that the VM Console of the deployed VM is not accessible by end users including vSphere Administrators.


When things are working fine, this is generally not needed but when something goes wrong such as debugging or troubleshooting guest customization or networking issues, then having access to the VM Console is a must! In speaking with the VM Service PM, this is already being tracked in their backlog and hopefully we will have a solution for this in the future.

For now, there is a quick workaround which I have personally used it myself while deploying Nested ESXi VMs using the VM Service. Since this question has come up a few times now, I wanted to document the specific instructions and make it easy for anyone who may have a need for this. 100% Credit goes to Florian Grehl who shared this solution on his blog but on a completely unrelated topic.

UPDATE (05/20/21) - Florian also shared via Twitter, another and quicker way to access the VM Console is if you have direct ESXi host access, you can access the VM Console that way as well. I am usually logged into vCenter Server anyhow, so I prefer method outlined below.

Step 1 - SSH to the VCSA and run the following snippet which will automatically retrieve the root password for the Supervisor Cluster, print that out to console and then initiate SSH session to one of the Supervisor Cluster Nodes. This is needed because we need to login to the Supervisor Cluster to retrieve the credentials for an account that can login to the vSphere UI and open the VM Console.

SV_DECRYPT_OUTPUT=$(/usr/lib/vmware-wcp/decryptK8Pwd.py)
SV_CLUSTER_IP=$(echo ${SV_DECRYPT_OUTPUT} | awk -F 'IP: ' '{print $2}' | awk '{print $1}')
SV_CLUSTER_ROOT_PASSWORD=$(echo ${SV_DECRYPT_OUTPUT} | awk -F 'PWD: ' '{print $2}' | awk '{print $1}')
echo -e "\n${SV_CLUSTER_ROOT_PASSWORD}\n"
ssh root@${SV_CLUSTER_IP}


Step 2 - Once logged into the Supervisor Cluster, run the following snippet to retrieve to credentials that can then be used to login to the vSphere UI.

VM_SERVICE_ACCOUNT_USERNAME=$(kubectl get secrets wcp-vmop-sa-vc-auth -n vmware-system-vmop -o jsonpath='{.data.username}' | base64 -d)
VM_SERVICE_ACCOUNT_PASSWORD=$(kubectl get secrets wcp-vmop-sa-vc-auth -n vmware-system-vmop -o jsonpath='{.data.password}' |base64 -d)
echo -e "\n${VM_SERVICE_ACCOUNT_PASSWORD}\n${VM_SERVICE_ACCOUNT_USERNAME}\n"


Note: The credentials for this service account is automatically rotated every 12hours. If you need access for longer, you will need to repeat these steps.

Step 3 - Finally, open browser to your vCenter Server and login using the credentials from the previous step and you will now be able to access the VM Console of the VM that was deployed by the VM Service.

More from my site

  • Quickly deploying vSphere IaaS (formerly vSphere with Tanzu) Control Plane Services via YAMLs
  • Identifying vSphere with Tanzu Managed VMs
  • NVIDIA GPU with Dynamic DirectPath IO (Passthrough) to Tanzu Kubernetes Grid (TKG) Cluster using vSphere with Tanzu
  • How to download offline copy of the Tanzu Kubernetes releases (TKr) Content Library?
  • Building custom Tanzu Kubernetes Releases (TKR) for vSphere with Tanzu

Categories // VMware Tanzu Tags // vSphere Kubernetes Service

Comments

  1. *protectedmasanara says

    05/21/2021 at 3:44 am

    The images of step2 and step3 seem to be opposite.

    Reply
    • William Lam says

      05/21/2021 at 6:03 am

      Thanks! Fixed

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Automating the vSAN Data Migration Pre-check using vSAN API 06/04/2025
  • VCF 9.0 Hardware Considerations 05/30/2025
  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...