When users log in to a vCenter Server to manage roles and permissions within a VMware Cloud Foundation (VCF) 9.0 environment, they may notice several accounts that already have vSphere permissions assigned.
This might come as a surprise, especially if you do not recall creating these users, let alone granting them privileges within vCenter Server.
A large majority of the user accounts that you see are internal to the vCenter Server Appliance (VCSA) and represents the different application services running within the VCSA. There are also a handful of VCF accounts that are automatically created to enable communication between the various VCF components, but at the end of the day these are all service accounts that is either managed by vCenter Server or VCF.
With that said, it might be useful to understand which of these accounts are service accounts, so organizations can properly audit their environment for compliance and configuration management.
With VCSA 9.0, we have enhanced the local dir-cli command to include a new svcaccount option that is used to manage these service accounts. While you can SSH to VCSA to perform the "list" operation to see all service accounts, we can indirectly invoke this command using vSphere API and specifically leveraging the Guest Operations API, thus reducing the need to enable SSH.
$vcenterVMName = "vc01"
$vcenterSSOAdminPassword = "VMware1!VMware1!"
$vcenterRootPassword = "VMware1!VMware1!"
Invoke-VMScript -ScriptText "/usr/lib/vmware-vmafd/bin/dir-cli svcaccount list --password ${vcenterSSOAdminPassword}" -vm (Get-VM $vcenterVMName) -GuestUser "root" -GuestPassword $VCSARootPassword
Here is an example output from a VCF 9.0.1 environment and as you can see, while there are quite a few accounts, only the ones prefixed with svc-* are VCF manage service accounts as mentioned in the VCF documentation. The remainder accounts listed are either the VCSA internal service accounts or service accounts created by other integrations.
You may have noticed that a number of the accounts end with a common ID, this is also a clue that these are related to the VCSA internal service accounts. Using this common ID, we could filter the list down further and the we can retrieve the ID by looking at this file /etc/vmware/install-defaults/sca.hostid within the VCSA filesystem.
Again, we can remotely retrieve this information using the the Guest Operations API and I have created the following PowerCLI script list_all_vcenter_service_accounts.ps1 that brings it all together into a more usable format.
Here is an example output that breaks out the VCF service accounts, other service accounts and the VCSA internal service accounts.
As you can see from screenshot above, we only have seven VCF service accounts, the rest are internal VCSA service accounts and I do have a few that were created from Data Services Manager (DSM) & NSX Manager based on the labels. Each environment will vary based on the VCF components deployed as well as other 2nd or 3rd party solutions.
Thanks for the comment!