WilliamLam.com

Exploring new VCSA VAMI API w/PowerCLI: Part 10

by // 2 Comments

In Part 10, we are going to take a look at local user management for the VAMI interface. By default, only the root local user exists but customers have the option of creating additional accounts. In vSphere 6.5, the VAMI has been enhanced to support different roles such as Admin, Operator and SuperAdmin. You can refer to the VAMI documentation on what each of the roles provides.

VAMI UI Area of Focus

There is not a VAMI UI for user management, this is currently only available using the VAMI REST APIs.

VAMI APIs Used

  • GET /appliance/techpreview/localaccounts/user
  • POST /appliance/techpreview/localaccounts/user
  • DELETE /appliance/techpreview/localaccounts/user/{user-id}

PowerCLI Function

Sample Output

To retrieve all VAMI users, use the Get-VAMIUser function. By default, your system will probably only have the root user unless you have already added additional VAMI users.


To create a new user, we will use the New-VAMIUser which requires a few input parameter that should be pretty self explanatory. The role parameter can be one of three values: admin, operator or superAdmin as defined in the VAMI documentation.

Here is an example of creating a new user called lamw:

New-VAMIUser -name lamw -fullname "William Lam" -role "operator" -email "*protected email*" -password "VMware1!"


If we now re-run our Get-VAMIUser command, we should see the new user that we had just created.


To remove a VAMI user, you simply use the Remove-VAMIUser and specify the name of the user you wish to remove. Below is an example of deleting the user we had just created.


One thing to note is that when using the Connect-CisServer cmdlet to interact with the VAMI REST API, it currently does not support connecting with local VAMI users, only SSO users. This is a limitation with the PowerCLI implementation and does not affect direct use of the VAMI REST API or using it through other SDKs. This is something that will be resolved in a future update of PowerCLI, so something to keep in mind as I was scratching my head when trying to use a local user to authenticate.

PowerCLI module for Proactive HA (including simulation)

by // 6 Comments

Proactive HA is a very cool new feature that was introduced in vSphere 6.5, which enables our hardware vendors to communicate their hardware specific health information directly into vSphere and specifically with vSphere DRS. This hardware health information can then be leveraged by vSphere DRS to take proactive actions to guard against potential hardware failures. Brian Graf, Product Manager for Proactive HA, DRS and overall vSphere Availability has a nice blog post here where he goes into more details on how Proactive HA works.

As Brian mentioned, a few of our select hardware vendors are already in the process of developing and certifying Proactive HA integrations for vSphere, so stay tuned for those announcements in the future by both VMware and our partners. In the meantime, there was an interesting comment from one of our field folks asking whether it would be possible to "simulate" the new Quarantine Mode operation for an ESXi host to be better understand how this feature might work?

Quarantine Mode is new mode for ESXi, which can only be triggered by Proactive HA. It functions similar to the Maintenance Mode operation, but instead of migrating all VMs off, it will allow existing VMs to continue to run but prevent additional new VMs to be placed on the host.

Proactive HA does provide a set of public vSphere APIs under the healthUpdateManager which is primarily targeted at our hardware vendors to consume. However, these APIs could also be used by our customers to get visibility into the current Proactive HA configuration as well as the health of the ESXi hosts from the Proactive HA provider standpoint. Going back to our initial question, it is possible to "register" a fake Proactive HA provider and manually generate health updates to simulate what a real Proactive HA solution could look like.

Disclaimer: This is for educational and lab purposes only. Creating a fake or simulated Proactive HA provider is not officially supported by VMware, please use at your own risk. The creation of Proactive HA providers as well as publishing health updates is for our hardware vendors to consume which in turn will provide native integrations that include customer visible interfaces within the vSphere Web Client.

[Read more...]

Automating vSphere Global Permissions with PowerCLI

by // 6 Comments

vSphere Global Permissions was first introduced in vSphere 6.0, which provides a simple and consistent method for assigning permissions for individual users and/or groups across multiple vCenter Servers joined to the same vCenter Single Sign-On (SSO) Domain. Global permissions works in the same way as traditional vSphere Permissions, but rather than assigning a permission to a specific entity, the association is applied at the root level of the vCenter Server.

The other added benefit for customers who are using vCenter's Enhanced Linked Mode (ELM), the global permission will be available to all vCenter Servers which are part of that ELM configuration. Without global permissions, a customer would have to create and assign a new permission to each and every vCenter Server and ensure that they all match which can be very error prone.

One downside to using vSphere Global Permissions today is that there is currently not a public API for those wanting to automate the creation and deletion of global permissions. However, as quick workaround, I have found a way in which you can automate the global permission management using the vSphere MOB which would allow us to use PowerCLI or any other vSphere Automation toolkit for that matter.

UPDATE (04/07/25) - See this updated blog post for listing vSphere Global Permissions.

I have created a simple PowerShell script called GlobalPermissions.ps1 which contains two functions New-GlobalPermission and Remove-GlobalPermission which hopefully is self explanatory in what they do.

To create a new vSphere Global Permission, the function requires the following 6 parameters:

  • vc_server - Hostname or IP of the vCenter Server
  • vc_username - The VC username
  • vc_password - The VC password
  • vc_user - The vSphere User to assign the permission to
  • vc_role_id - The Role ID associated with the vSphere Role within vCenter Server (more on this later)
  • propagate - true or false on whether to propagate the permission

To retrieve the vc_role_id, you simply need access to a vCenter Server and run the following snippet along with the name of the vSphere Role to get its ID. In the example below, the Administrator role is called "Admin" using the vSphere API and the following will return the ID:

(Get-VIRole -Name Admin).ExtensionData.RoleId

Once you have retrieved the vSphere Role ID, here is an example of running the New-GlobalPermission function:

$vc_server = "192.168.1.51"
$vc_username = "*protected email*"
$vc_password = "VMware1!"
$vc_role_id = "-1"
$vc_user = "VGHETTO\lamw"
$propagate = "true"
New-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user -vc_role_id $vc_role_id -propagate $propagate

If the operation was successful, you should be able to login using the vSphere Web Client and refresh the global permissions view and you should see the new permission assignment as shown in the screenshot below.

To remove a global permission, you only need to provide the vCenter Server, its credentials and the user permission you wish to remove:

Remove-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user