Creating vSphere Namespaces with Permissions using Aria Automation
In our previous post, we created vSphere namespaces with vRealize Automation (vRA) and vCenter API. However, one thing that was missing was the ability to set permissions on the namespaces. In this post, we will explore how to set permissions on vSphere namespaces using Aria Automation.
Why Permissions?
Before we dive into setting permissions, let’s talk about why they are important. With vSphere namespaces, you can create isolated environments for your applications and workloads. However, without proper permissions, anyone with access to the namespace can make changes or delete resources within it. By setting permissions, you can restrict access to certain users or groups, ensuring that only authorized personnel can make changes or delete resources within the namespace.
Event Topics and Dynamic Types
To set permissions on a vSphere namespace, we will use Event Topics and Dynamic Types in Aria Automation. Event Topics allow us to subscribe to specific events within vCenter, such as when a namespace is provisioned or updated. Dynamic Types allow us to define custom resources within vRA, such as the permission levels for a namespace.
Changing the Cloud Template
To begin, we’ll need to make some changes to our Cloud Template to allow for adding permissions to a namespace. We’ll accept user input for the OWNER and VIEWER roles, and update the Cloud Template accordingly.
Using the vCenter API
Once we have our Cloud Template updated, we can use the vCenter API to set permissions on the namespace. We’ll fire an API call to the vCenter REST API after vRA has provisioned the namespace. The API call will be done with the PATCH method, and we’ll only provide the updated access list in the body.
Using Postman
Before tying this up in vRA, let’s verify the API call with Postman (or any other REST API client). We can use the Event Topic to retrieve the namespace name, which will be our identifier.
ABX Action and Powershell
Now, let’s finally set things up in vRA to make the necessary API calls. We’ll use an ABX action running our code with the Powershell runtime. We’ll add our constants as inputs, such as the vCenter hostname, the namespace name, and the owner and viewer information.
Powershell Code
Our Powershell code will look something like this:
“`powershell
# Get the input values from the custom properties in the Cloud Template
$owner = $context.getProperty(“OWNER”)
$viewer = $context.getProperty(“VIEWER”)
# Set the Base URL and authenticate with the vCenter API
$baseUrl = “https://{api_host}/api/vcenter/namespaces/instances/”
$username = “your-vcenter-username”
$password = “your-vcenter-password”
$sessionId = Get-VcSession -Hostname $vcenterHost -Username $username -Password $password
# Create a base64 encoded string consisting of username:password
$authString = “Basic {0}” -f ($username + “:” + $password)
# Set the Authentication header
$headers = @{
“vmware-api-session-id” = $sessionId
“Authorization” = $authString
}
# Update the permissions for the namespace
$body = @{
“access_list” = @(
@{
“permission” = “OWNER”
“role” = “OWNER”
},
@{
“permission” = “VIEWER”
“role” = “VIEWER”
}
)
}
$response = Invoke-RestMethod -Uri $baseUrl -Method Patch -Body $body -Headers $headers -UseBasicParsing
“`
Note that we’re only supporting the two roles, OWNER and VIEWER, and we’re only supporting adding one user for either of the roles. Additionally, the API requires a session id, which can be retrieved using the Get-VcSession cmdlet.
Conclusion
In this post, we explored how to set permissions on vSphere namespaces using Aria Automation. We discussed why permissions are important, and how we can use Event Topics and Dynamic Types to set permissions. We also showed an example of how to set permissions using the vCenter API and Powershell. By setting permissions, you can ensure that only authorized personnel can make changes or delete resources within your namespace. Thanks for reading!