WilliamLam.com

Decoding Services Roles/Permissions from a VMware Cloud Services Platform (CSP) Token

by // Leave a Comment

To programmatically access the various VMware Cloud Services (CSP) such as VMware Cloud on AWS as an example, a user must first generate a CSP Refresh Token using the CSP Console.


When creating a new CSP Refresh Token, you have the option to scope access to a specific set organization roles and service roles which will enable you to limit the permissions of this token to specific CSP Services. In the example below, I have created a new token which is scoped to the organization owner role along with two VMware Cloud on AWS Service Roles: Administrator (Delete Restricted) and NSX Cloud Admin to be able to grant access to a VMware Cloud on AWS SDDC.


One common issue that I see folks run into when working with some of the CSP Services including VMware Cloud on AWS from a programmatic standpoint is that they did not properly create a token with the correct permissions which usually will lead to some type of invalid request.

For popular services like VMware Cloud on AWS, it is usually pretty easy to track down, especially if the user who is using the CSP Refresh Token is the same person who created it. However, if you are not the person who created the original token or if you have forgotten or you may have access to multiple token, it can be a little bit difficult to troubleshoot.

The good news and probably lesser known detail about how CSP Refresh Tokens work is that you can actually decode these tokens to understand what specific scopes were used to create the initial token. Below are two methods to decode these tokens, both CSP Refresh Tokens (generated from the CSP UI) as well as CSP Access Token, which is returned when you request access providing your CSP Refresh Token.

[Read more...]

TKG Demo Appliance on VMware Cloud on DellEMC

by // Leave a Comment

We have been getting interests from customers on wanting to run Tanzu Kubernetes Grid (TKG) on our VMware Cloud on DellEMC (VMConDellEMC) offering and I was asked to see if my Tanzu Kubernetes Grid (TKG) Demo Appliance would also work on this VMware Cloud solution, especially as it works great on both VMware Cloud on AWS as well as existing premises vSphere 6.7 Update 3 or later environments.

With the help from our VMConDellEMC team, I got access to an SDDC and was able to validate that everything works as outlined in my TKG workshop guide. I have also updated the pre-req documentation to include a specific section for setting up VMConDellEMC SDDC, most of which is similiar to existing networking requirements. Once you have your customer uplink network configured to your VMConDellEMC SDDC, you will be able to reach the TKG Demo Appliance running on the NSX-T Segment. The thing about the setup is that TKG Demo Appliance is built in an air-gap fashion, so no internet access is required, which by default, the TKG CLI will assume. This is great way to quickly get started with TKG and playing with Kubernetes!


This was actually my first time using VMConDellEMC and I thought I would push the limits a bit and deploying a slightly larger TKG Workload Cluster than I normally would, especially since I got access to a 5-Node SDDC 😀

[Read more...]

New SDDC Linking capability for VMware Cloud on AWS

by // 1 Comment

Back in September, the VMware Transit Connect (vTGW) on VMware Cloud on AWS (VMConAWS) feature was released and provides users a simplified way of connecting AWS VPCs, AWS Direct Connect Gateways and customer on-premises datacenter from a networking connectivity standpoint. As part of this feature, a new logical construct called an SDDC Group was created which allows customers to easily apply common networking connectivity policies across a number of SDDCs versus having to manage them separately which can quickly get complex from an operational point of view.

The SDDC Group not only simplified the initial setup, but it also simplifies Day 2 Operations when new SDDCs are provisioned and added to the SDDC group. The networking policies that have been configured at the SDDC Group will automatically apply to all new SDDCs which makes this a really slick solution. As SDDCs are removed from the SDDC Group, the related configurations are automatically un-provisioning and detached from the respective networking resources.


Simplified network connectivity using an SDDC Group was just the beginning! Today, the VMware Cloud team has released a new feature built on top of the SDDC Groups construct called vCenter Linking for SDDC Groups. Just as the name implies, customers can now easily "Link" multiple vCenter Servers within an SDDC Group enabling a single view of all vCenter Servers using any one of the vSphere UIs within the SDDC. For those familiar with Enhanced Linked Mode (ELM), this is basically that but for SDDCs running in the Cloud!

The workflow could not have been simpler and last week I got try it out and was quite impressed! Under the hood, this leverages the vCenter Convergence capability and when enabling vCenter Linking, the service automatically handles all those details including the necessary NSX-T firewall rules that need to be configured across ALL SDDC to allow for secured connectivity. Just imagined having to do this each time a new SDDC is added or remove, you need to manually go to all SDDC and update or create new firewall rules!? This is all hidden away from the user and by simply associating SDDCs in the SDDC Group, the configurations are applied automatically for you.

One question that I did have while trying out this new feature was how does this work with existing features such as Hybrid Linked Mode (HLM) and ELM?

[Read more...]