In this article, I would like to share a small PowerShell script that should simplify the configuration of a VMware service account. This account will perform backup operations against VMware vCenter Server.
The Rubrik CDM’s user guide recommends creating a new VMware vCenter Server Role. This role must contain the minimum permissions for the service account to operate correctly. Once created we assign this role to the user at the vCenter Server object level, and propagate it to children of the objects.
I hardcoded a few parameters to easily re-use the script across environments. Most of them are explanatory, but I’ll add some context to a few of them.
$VI_VCENTER, this parameter is the virtual machine name within the vCenter Server.
$LOCAL_ROOT, this parameter is the VAMI user of the vCenter, we need this to create a user object.
$LOCAL_PWD, the associated password for the VAMI user.
<# .NOTES Author: Koen Leemans .NOTES Site: www.cloud-duo.com, www.agisko.be .NOTES Compatibility: Verified for CDM 5.2 /w vCenter Server 7.0 #> Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | Out-Null $VI_SERVER = "IP/FQDN-VCENTER" $VI_USERNAME = "administrator@vsphere.local" $VI_PWD = "S$cureP@ssw0rd" $VI_VCENTER = "vcenter" $RBK_USERNAME = "sa-rubrik" $RBK_PWD = "S$cureP@ssw0rd" $RBK_FIRSTNAME = "Rubrik" $RBK_LASTNAME = "ServiceAccount" $LOCAL_USERNAME = "root" $LOCAL_PWD = "S$cureP@ssw0rd" Connect-VIServer -Server $VI_SERVER -User $VI_USERNAME -password $VI_PWD | Out-Null New-VIRole -Name "Rubrik-Backup" -Privilege (Get-VIPrivilege -Id ` datastore.allocatespace, ` datastore.browse, ` datastore.config, ` datastore.file*, ` datastore.move, ` datastore.delete, ` host.config.storage, ` host.config.patch, ` host.config.maintenance, ` host.config.image, ` network.assign, ` resource.assignvmtopool, ` resource.hotmigrate, ` resource.coldmigrate, ` resource.queryvmotion, ` sessions.validatesession, ` sessions.t*, ` virtualmachine.config.addexistingdisk, ` virtualmachine.config.addnewdisk, ` virtualmachine.config.addremovedevice, ` virtualmachine.config.advancedconfig, ` virtualmachine.config.resource, ` virtualmachine.config.changetracking, ` virtualmachine.config.disklease, ` virtualmachine.config.removedisk, ` virtualmachine.config.rename, ` virtualmachine.config.editdevice, ` virtualmachine.config.swapplacement, ` virtualmachine.guestoperations.modify, ` virtualmachine.guestoperations.execute, ` virtualmachine.guestoperations.query, ` virtualmachine.interact.answerquestion, ` virtualmachine.interact.backup, ` virtualmachine.interact.deviceconnection, ` virtualmachine.interact.guest*, ` virtualmachine.interact.poweron, ` virtualmachine.interact.poweroff, ` virtualmachine.interact.reset, ` virtualmachine.interact.suspend, ` virtualmachine.interact.toolsinstall, ` virtualmachine.inventory.create, ` virtualmachine.inventory.move, ` virtualmachine.inventory.register, ` virtualmachine.inventory.unregister, ` virtualmachine.inventory.delete, ` virtualmachine.provisioning.diskrandomaccess, ` virtualmachine.provisioning.diskrandomread, ` virtualmachine.provisioning.getvmfiles, ` virtualmachine.provisioning.putvmfiles, ` virtualmachine.state.createsnapshot, ` virtualmachine.state.removesnapshot, ` virtualmachine.state.renamesnapshot, ` virtualmachine.state.revert*, ` storageprofile.update, ` storageprofile.view, ` *Tagging.CreateTag ` ) Invoke-VMScript -ScriptText "/usr/lib/vmware-vmafd/bin/dir-cli user create --account $RBK_USERNAME --first-name $RBK_FIRSTNAME --last-name $RBK_LASTNAME --user-password $RBK_PWD --login $VI_USERNAME --password $VI_PWD" -vm $VI_VCENTER -GuestUser $LOCAL_USERNAME -GuestPassword $LOCAL_PWD | Out-Null New-VIPermission -Entity (Get-Folder -NoRecursion) -Principal "vsphere.local\$RBK_USERNAME" -Role (Get-VIRole -Name "Rubrik-Backup") -Propagate:$true -Confirm:$false Disconnect-VIServer * -Confirm:$false
I hope this article will help you configure and enjoy your Rubrik!
Note: The script is only tested against VMware vCenter Server 7.0, please give feedback in the comments if it works for your vCenter Server!
Source: https://support.rubrik.com/s/htmldocuments?docurl=https%3A%2F%2Frubrik-docs.s3-us-west-1.amazonaws.com%2Fen-us%2F5.2%2Findex.html
dir-cli may error out if your service account does not meet the minimum password requirements.
And the password fields should have single quotes instead of double quotes, incase the password has $ characters.
Worked for VC 6.7 and CDM 5.3 which has no difference in permissions required
There is a script in the Rubrik PowerShell Repository as well, and is community maintained.
Check it out here:
https://github.com/rubrikinc/rubrik-scripts-for-powershell/blob/master/VM/create_vCenter_User.ps1