Create ESXi root account with vRO [CB10104]

TL;DR If you would like to create ESXi local account using vRO, download this package (in.co.cloudblogger.crudEsxiLocalUser.package) to get started.

Introduction

Many organization uses vRO for Host Provisioning. Various hardware vendors provide vRO Scripting APIs via plugins or REST APIs to manage and provision bare-metal servers. While doing so, there is always a possibility that post-provisioning, you would like to access your ESXi host from an account other than root for several reasons like security restrictions, limited access etc. In that case, the best way is to create a fresh new account using vRO with the kind of access mode or lets call it, role that suits the needs. In this post, we will see how to create an ESXi local user account using vRO Scripting API.

Classes & Methods

As shown below, we have used following classes and methods for retrieval of existing accounts, creation, updating & deletion of accounts as well as change access or Role of those accounts.

Script

if you just want the script, the link to it is here.

/**
 *
 * @version 0.0.0
 *
 * @param {VC:HostSystem} host 
 * @param {string} localUserName 
 * @param {SecureString} localUserPassword 
 * @param {string} accessMode 
 * @param {string} localUserDescription 
 *
 * @outputType void
 *
 */
function createEsxiLocalUser(host, localUserName, localUserPassword, accessMode, localUserDescription) {
	if(!host) throw "host parameter not set";
	if(!localUserName || !localUserPassword) throw "Either username or password parameter not set";
	if(!localUserDescription) localUserDescription = "***Account created using vRO***";
	if(localUserDescription.indexOf(localUserPassword) != -1) throw 'Weak Credentials! Avoid putting password string in description';
	
	// Retrieve all system and custom user accounts
	var arrExistingLocalusers = host.configManager.hostAccessManager.retrieveHostAccessControlEntries();
	var accountSpecs = new VcHostAccountSpec(localUserName,localUserPassword,localUserDescription);
	host.configManager.accountManager.createUser(accountSpecs);
	switch(accessMode){
	    case 'Admin': //Full access rights
	        host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessAdmin);
	        break;
	    case 'ReadOnly': //See details of objects, but not make changes
	        host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessReadOnly);
	        break;
	    case 'NoAccess': //Used for restricting granted access
	        host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessNoAccess);
	        break;
	    default: //No access assigned. Note: Role assigned is accessNone
	        host.configManager.hostAccessManager.changeAccessMode(localUserName,false,VcHostAccessMode.accessNone);
	}
	System.warn("  >>> Local user "+localUserName+" created with accessMode "+accessMode+" on host "+host.name);
	
	
}

Demo Video

In this demo, we can see how the workflow is utilized to create a local account testuser1 through which we logged in to ESXi and check if it has required permissions.

vRO Package for CRUD operation

I have created a vRO Workflow to create and manage your ESXi local accounts directly from the input form itself. Please find the vRO package that contains the master workflow and associated actions.

Workflow: CRUD Operation on ESXi Local Users
Actions:
- getEsxiLocalUser
- deleteEsxiLocalUser
- updateEsxiLocalUser
- createEsxiLocalUser
- getAllEsxiLocalUsers
- getAllEsxiLocalUsersWithRoles

Link to vRO package: in.co.cloudblogger.crudEsxiLocalUser.package

That’s all in this post. Thanks for reading.