Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.
function Add-BoshVCenterAccount()
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.
This function creates a new vSphere role called PKS Administrators if it does not exist already. It then assigns the specified local or domain user/group to the role at the root vCenter server object.
Specifies the Group to assign the role to.
Specifies the User to assign the role to.
If specified, then the User or Group specified is assumed to be a domain object. Specify the AD Domain the user/group is a member of.
The resultant permission.
Connect-ViServer -Server
Add-BoshVCenterAccount -Domain mydomain -User user1
[string] $User,
[string] $Group,
[string] $Domain
$version = $Null
if ( (Get-Variable | Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer )
$version = $defaultViServer.Version
throw ("Use Connect-ViSever first!")
# Permissions for 6.5+:
$privileges = @( `
"Manage custom attributes",
"Allocate space",
"Browse datastore",
"Low level file operations",
"Remove file",
"Update virtual machine files",
"Delete folder",
"Create folder",
"Move folder",
"Rename folder",
"Set custom attribute",
"Modify cluster",
"Assign network",
"Assign virtual machine to resource pool",
"Migrate powered off virtual machine",
"Migrate powered on virtual machine",
"Add existing disk",
"Add new disk",
"Add or remove device",
"Change CPU count",
"Change resource",
"Configure managedBy",
"Disk change tracking",
"Disk lease",
"Display connection settings",
"Extend virtual disk",
"Modify device settings",
"Raw device",
"Reload from path",
"Remove disk",
"Reset guest information",
"Set annotation",
"Swapfile placement",
"Unlock virtual machine",
"Guest Operation Program Execution",
"Guest Operation Modifications",
"Guest Operation Queries",
"Answer question",
"Configure CD media",
"Console interaction",
"Defragment all disks",
"Device connection",
"Guest operating system management by VIX API",
"Power Off",
"Power On",
"VMware Tools install",
"Create from existing",
"Create new",
"Allow disk access",
"Allow read-only disk access",
"Allow virtual machine download",
"Allow virtual machine files upload",
"Clone template",
"Clone virtual machine",
"Deploy template",
"Mark as template",
"Mark as virtual machine",
"Modify customization specification",
"Promote disks",
"Read customization specifications",
"Create snapshot",
"Remove Snapshot",
"Rename Snapshot",
"Revert to snapshot",
"vApp application configuration"
if ( $version -ilike "6.0*" )
# Version 6.0 permissions:
$privileges = $privileges | Where-Object { $_ -inotmatch '^(Create|Edit|Delete)Tag$' }
$privileges += "Create Inventory Service Tag"
$privileges += "Edit Inventory Service Tag"
$privileges += "Delete Inventory Service Tag"
$role = Get-ViRole | Where-Object { $_.Name -ieq "PKS Administrators" }
if ( !$role )
$role = New-VIRole -Name "PKS Administrators" -Privilege $privileges
$principalParam = @{}
$idFieldName = "Name"
if ( $Domain )
$principalParam.Add("Domain", $Domain)
$idFieldName = "Id"
if ( $PSCmdlet.ParameterSetName -ieq "user" )
$principalParam.Add($idFieldName, $User)
$principalParam.Add("User", $true)
$principalParam.Add($idFieldName, $Group)
$principalParam.Add("Group", $true)
$principal = Get-VIAccount @principalParam
if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") )
New-VIPermission -Entity "Datacenters" -Principal $principal -Role $role
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment