WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Minimum vSphere privileges to install or remove patch from ESXi

Minimum vSphere privileges to install or remove patch from ESXi

04.18.2024 by William Lam // Leave a Comment

I recently got a question from our field inquiring about the minimum vSphere privileges that would be required to either install or remove a patch (VIB/Component) from an ESXi host. The customer was interested in using PowerCLI and specifically the ESXLI interface to automate the installation and removal of a VIB and wanted to create a custom vSphere Role with the minimum privileges, which can be done with vCenter Server or even a standalone ESXi host (properly licensed).

Since I was familiar with the underlying ESXi patch API that is used for these operations, a nice benefit of the vSphere API Reference is that it also lists the specific vSphere Privileges that is required for a given operation and in this case, it is just Host.Config.Patch privilege.

However, when the customer attempted to create a custom vSphere Role with just this privilege and perform the installation operation, they still received an error as shown in the screenshot below, which was a bit cryptic but they had assumed it was still permissions related as full administrative account had worked:

OperationStopped: Response status code does not indicate success: 500 (Internal Server Error)


I had suspected an additional privilege might be needed and I was reminded of this 2013 blog post on the minimum vSphere privilege to query all install VIB/Components on an ESXi host and figured I give that a shot and sure enough, that was he additional vSphere Privilege that was required.

In summary, the following two vSphere Privileges are required if you wish to create a custom vSphere Role:

  • Host.Config.Patch
  • Global.Settings

I was able to manually confirm this by creating a custom vSphere Role on a standalone ESXi host (non-vCenter managed) called "Patching" that contained the privileges listed above. I then used PowerCLI (New-VIPermission) to assign the new vSphere Role to a custom user that I had already created on my ESXi host called "lamw". In the example below, I am installing and removing the USB Native Network Driver for ESXi component.


I now can use PowerCLI to login with this new user and when I perform a patch installation using the example snippet below, I no longer ran into the error as you can see from the screenshot below:

$esxcli = Get-ESXCLI -v2
$depot = "/vmfs/volumes/localhost-esx-install-datastore/ESXi703-VMKUSB-NIC-FLING-55634242-component-19849370.zip"
$dryrun = $true
$esxcli.software.component.apply.Invoke(@{depot=$depot;dryrun=$dryrun})


Lastly, we can also verify that uninstalling the patch with the same user also does not run into any issues as demonstrated with this example below:

$esxcli = Get-ESXCLI -v2
$component = "VMware-vmkusb-nic-fling"
$dryrun = $false
$esxcli.software.component.remove.Invoke(@{component=$component;dryrun=$dryrun})

More from my site

  • Extending ESXCLI commands
  • ESXi Advanced & Kernel Settings Reference
  • Quick Tip - ESXCLI CSV --format-param options
  • Quick Tip - Don't always assume your local HDs will be claimed correctly
  • Quick Tip - Marking an HDD as SSD or SSD as HDD in ESXi

Categories // Automation, ESXCLI, PowerCLI Tags // esxcli, ESXi, privilege

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...