VMware Aria Automation 8.16

8.18 8.17 8.16 8.14 8.13 all
Português (Brasil) 简体中文 Deutsch Español Français Italiano 日本語 한국어 Nederlands Русский 繁體中文 English

Credentials required for working with cloud accounts in
VMware Aria Automation

To configure and work with cloud accounts in
VMware Aria Automation
, verify that you have the following credentials.

Required overall credentials

To...
You need...
Sign up for and log in to
Automation Assembler
A VMware ID.
  • Set up a My VMware account by using your corporate email address at VMware Customer Connect.
Connect to
VMware Aria Automation
 services
HTTPS port 443 open to outgoing traffic with access through the firewall to:
  • *.vmwareidentity.com
  • gaz.csp-vidm-prod.com
  • *.vmware.com
For more information about ports and protocols, see VMware Ports and Protocols.
For more information about ports and protocols, see
Port Requirements
 in the
Reference Architecture
 help.

vCenter
 cloud account credentials

This section describes the credentials that are required to add a
vCenter
 cloud account.
Privileges are required for the
vSphere
 agent to manage the
vCenter
 instance. Provide an account with the following read and write privileges:
  • vCenter
     IP address or FQDN
The permissions needed to manage
VMware Cloud on AWS
 and
vCenter
 cloud accounts are listed. Permissions must be enabled for all clusters in the
vCenter
, not just clusters that host endpoints.
To support control of VMware's Virtual Trusted Platform Module (vTPM) when deploying Windows 11 VMs, you must have the
cryptographic operations -> direct access
 privilege in
vCenter
. Without this privilege, console access from
VMware Aria Automation
 to Windows 11 VMs is not possible. For related information, see Virtual Trusted Platform Module Overview.
For all
vCenter
-based cloud accounts - including
NSX-V
,
NSX-T
,
vCenter
, and
VMware Cloud on AWS
 - the administrator must have
vSphere
 endpoint credentials, or the credentials under which the agent service runs in
vCenter
, that provide administrative access to the host
vCenter
.
For more information about agent requirements, see VMware vSphere product documentation.
Setting
Selection
Content library
To assign a privilege on a content library, an administrator must grant the privilege to the user as a global privilege. For related information, see Hierarchical Inheritance of Permissions for Content Libraries in
vSphere Virtual Machine Administration
 at VMware vSphere Documentation.
  • Add library item
  • Create local library
  • Create subscribed library
  • Delete library item
  • Delete local library
  • Delete subscribed library
  • Download files
  • Evict library item
  • Probe subscription information
  • Read storage
  • Sync library item
  • Sync subscribed library
  • Type introspection
  • Update configuration settings
  • Update files
  • Update library
  • Update library item
  • Update local library
  • Update subscribed library
  • View configuration settings
Datastore
  • Allocate space
  • Browse datastore
  • Low level file operations
Datastore cluster
  • Configure a datastore cluster
Folder
  • Create folder
  • Delete folder
Global
  • Manage custom attributes
  • Set custom attribute
Network
  • Assign network
Permissions
  • Modify permission
Profile-driven storage
  • Profile-driven storage view
    To return a list of storage policies that can be mapped to a storage profile, grant the StorageProfile.View privilege to all accounts that connect
    VMware Aria Automation
     to
    vCenter
    .
Resource
  • Assign virtual machine to resource pool
  • Migrate powered off virtual machine
  • Migrate powered on virtual machine
vApp
  • Import
  • vApp application configuration
    The vApp.Import application configuration is required for OVF templates and to provision VMs from the content library.
    The vApp.vApp application configuration is required when using cloud-init for cloud configuration scripting. This setting allows for modification of a vApp's internal structure, such as its product information and properties.
Virtual machine
Change Configuration
  • Add existing disk
  • Add new disk
  • Add or remove device
  • Advanced configuration
  • Change CPU count
  • Change memory
  • Change settings
  • Change Swapfile placement
  • Change resource
  • Extend virtual disk
  • Modify device settings
  • Remove disk
  • Rename
  • Set annotation
  • Toggle disk change tracking
Edit Inventory
  • Create from existing
  • Create new
  • Move
  • Remove
Interaction
  • Configure CD media
  • Connect devices
  • Console interaction
  • Install VMware tools
  • Power off
  • Power on
  • Reset
  • Suspend
Provisioning
  • Clone template
  • Clone virtual machine
  • Customize guest
  • Deploy template
  • Read customization specifications
Snapshot management
  • Create snapshot
  • Remove snapshot
  • Revert to snapshot
vSphere
 Tagging
  • Assign or unassign
    vSphere
     tag
  • Assign or unassign
    vSphere
     tag on object
  • Create
    vSphere
     tag
  • Create
    vSphere
     tag category
  • Delete
    vSphere
     tag
  • Delete
    vSphere
     tag category
  • Edit
    vSphere
     tag
  • Edit
    vSphere
     tag category
  • Modify UsedBy field for category
  • Modify UsedBy field for tag

Amazon Web Services
 (AWS) cloud account credentials

This section describes the credentials that are required to add a
Amazon Web Services
 cloud account. See the above
vCenter
 cloud account credentials
 section for addition credential requirements.
Provide a power user account with read and write privileges. The user account must be a member of the power access policy (PowerUserAccess) in the AWS Identity and Access Management (IAM) system.
Enable the 20-digit Access Key ID and corresponding Secret Access Key access.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
VMware Aria Automation
 actions-based extensibility (ABX) and external IPAM integration may require additional permissions.
Setting
Selection
Autoscaling actions
The following AWS permissions are suggested to allow autoscaling functions:
  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:AttachInstances
  • autoscaling:DeleteLaunchConfiguration
  • autoscaling:DescribeAutoScalingGroups
  • autoscaling:CreateAutoScalingGroup
  • autoscaling:UpdateAutoScalingGroup
  • autoscaling:DeleteAutoScalingGroup
  • autoscaling:DescribeLoadBalancers
Autoscaling resources
The following permissions are required to allow autoscaling resource permissions:
  • *
    Provide all autoscaling resource permissions.
AWS Security Token Service (AWS STS) resources
The following permissions are required to allow AWS Security Token Service (AWS STS) functions to support temporary, limited-privilege credentials for AWS identity and access:
  • *
    Provide all STS resource permissions.
EC2 actions
The following AWS permissions are required to allow EC2 functions:
  • ec2:AttachVolume
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:DeleteSubnet
  • ec2:DeleteSnapshot
  • ec2:DescribeInstances
  • ec2:DeleteTags
  • ec2:DescribeRegions
  • ec2:DescribeVolumesModifications
  • ec2:CreateVpc
  • ec2:DescribeSnapshots
  • ec2:DescribeInternetGateways
  • ec2:DeleteVolume
  • ec2:DescribeNetworkInterfaces
  • ec2:StartInstances
  • ec2:DescribeAvailabilityZones
  • ec2:CreateInternetGateway
  • ec2:CreateSecurityGroup
  • ec2:DescribeVolumes
  • ec2:CreateSnapshot
  • ec2:ModifyInstanceAttribute
  • ec2:DescribeRouteTables
  • ec2:DescribeInstanceTypes
  • ec2:DescribeInstanceTypeOfferings
  • ec2:DescribeInstanceStatus
  • ec2:DetachVolume
  • ec2:RebootInstances
  • ec2:AuthorizeSecurityGroupEgress
  • ec2:ModifyVolume
  • ec2:TerminateInstances
  • ec2:DescribeSpotFleetRequestHistory
  • ec2:DescribeTags
  • ec2:CreateTags
  • ec2:RunInstances
  • ec2:DescribeNatGateways
  • ec2:StopInstances
  • ec2:DescribeSecurityGroups
  • ec2:CreateVolume
  • ec2:DescribeSpotFleetRequests
  • ec2:DescribeImages
  • ec2:DescribeVpcs
  • ec2:DeleteSecurityGroup
  • ec2:DeleteVpc
  • ec2:CreateSubnet
  • ec2:DescribeSubnets
  • ec2:RequestSpotFleet
    The SpotFleet request permission is not required for
    VMware Aria Automation
     actions-based extensibility (ABX) or external IPAM integrations.
EC2 resources
  • *
    Provide all EC2 resource permissions.
Elastic load balancing - load balancer actions
  • elasticloadbalancing:DeleteLoadBalancer
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:RemoveTags
  • elasticloadbalancing:CreateLoadBalancer
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:ConfigureHealthCheck
  • elasticloadbalancing:AddTags
  • elasticloadbalancing:CreateTargetGroup
  • elasticloadbalancing:DeleteLoadBalancerListeners
  • elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  • elasticloadbalancing:RegisterInstancesWithLoadBalancer
  • elasticloadbalancing:CreateLoadBalancerListeners
Elastic load balancing - load balancer resources
  • *
    Provide all load balancer resource permissions.
AWS Identity and Access Management (IAM)
The following AWS Identity and Access Management (IAM) permissions can be enabled, however they are not required:
  • iam:SimulateCustomPolicy
  • iam:GetUser
  • iam:ListUserPolicies
  • iam:GetUserPolicy
  • iam:ListAttachedUserPolicies
  • iam:GetPolicyVersion
  • iam:ListGroupsForUser
  • iam:ListGroupPolicies
  • iam:GetGroupPolicy
  • iam:ListAttachedGroupPolicies
  • iam:ListPolicyVersions

Microsoft Azure
 cloud account credentials

This section describes the credentials that are required to add a
Microsoft Azure
 cloud account.
Configure a
Microsoft Azure
 instance and obtain a valid
Microsoft Azure
 subscription from which you can use the subscription ID.
Create an Active Directory application as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in Microsoft Azure product documentation.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
  • General settings
    The following overall settings are required.
    Setting
    Description
    Subscription ID
    Allows you to access to your
    Microsoft Azure
     subscriptions.
    Tenant ID
    The authorization endpoint for the Active Directory applications you create in your
    Microsoft Azure
     account.
    Client application ID
    Provides access to Microsoft Active Directory in your
    Microsoft Azure
     individual account.
    Client application secret key
    The unique secret key generated to pair with your client application ID.
  • Settings for creating and validating cloud accounts
    The following permissions are needed for creating and validating
    Microsoft Azure
     cloud accounts.
    Setting
    Selection
    Microsoft Compute
    • Microsoft.Compute/virtualMachines/extensions/write
    • Microsoft.Compute/virtualMachines/extensions/read
    • Microsoft.Compute/virtualMachines/extensions/delete
    • Microsoft.Compute/virtualMachines/deallocate/action
    • Microsoft.Compute/virtualMachines/delete
    • Microsoft.Compute/virtualMachines/powerOff/action
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/restart/action
    • Microsoft.Compute/virtualMachines/start/action
    • Microsoft.Compute/virtualMachines/write
    • Microsoft.Compute/availabilitySets/write
    • Microsoft.Compute/availabilitySets/read
    • Microsoft.Compute/availabilitySets/delete
    • Microsoft.Compute/disks/delete
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/write
    Microsoft Network
    • Microsoft.Network/loadBalancers/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/delete
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/loadBalancers/write
    • Microsoft.Network/networkInterfaces/join/action
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/networkInterfaces/write
    • Microsoft.Network/networkInterfaces/delete
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Network/networkSecurityGroups/read
    • Microsoft.Network/networkSecurityGroups/write
    • Microsoft.Network/networkSecurityGroups/delete
    • Microsoft.Network/publicIPAddresses/delete
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/publicIPAddresses/write
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/delete
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/virtualNetworks/write
    Microsoft Resources
    • Microsoft.Resources/subscriptions/resourcegroups/delete
    • Microsoft.Resources/subscriptions/resourcegroups/read
    • Microsoft.Resources/subscriptions/resourcegroups/write
    Microsoft Storage
    • Microsoft.Storage/storageAccounts/delete
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Storage/storageAccounts/write
    • Microsoft.Storage/storageAccounts/listKeys/action is not generally required, but may be needed by users to view storage accounts.
    Microsoft Web
    • Microsoft.Web/sites/read
    • Microsoft.Web/sites/write
    • Microsoft.Web/sites/delete
    • Microsoft.Web/sites/config/read
    • Microsoft.Web/sites/config/write
    • Microsoft.Web/sites/config/list/action
    • Microsoft.Web/sites/publishxml/action
    • Microsoft.Web/serverfarms/write
    • Microsoft.Web/serverfarms/delete
    • Microsoft.Web/sites/hostruntime/functions/keys/read
    • Microsoft.Web/sites/hostruntime/host/read
    • Microsoft.web/sites/functions/masterkey/read
  • Settings for action-based extensibility
    If you are using
    Microsoft Azure
     with action-based extensibility, the following permissions are required, in addition to the minimal permissions.
    Setting
    Selection
    Microsoft Web
    • Microsoft.Web/sites/read
    • Microsoft.Web/sites/write
    • Microsoft.Web/sites/delete
    • Microsoft.Web/sites/*/action
    • Microsoft.Web/sites/config/read
    • Microsoft.Web/sites/config/write
    • Microsoft.Web/sites/config/list/action
    • Microsoft.Web/sites/publishxml/action
    • Microsoft.Web/serverfarms/write
    • Microsoft.Web/serverfarms/delete
    • Microsoft.Web/sites/hostruntime/functions/keys/read
    • Microsoft.Web/sites/hostruntime/host/read
    • Microsoft.Web/sites/functions/masterkey/read
    • Microsoft.Web/apimanagementaccounts/apis/read
    Microsoft Authorization
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleAssignments/write
    • Microsoft.Authorization/roleAssignments/delete
    Microsoft Insights
    • Microsoft.Insights/Components/Read
    • Microsoft.Insights/Components/Write
    • Microsoft.Insights/Components/Query/Read
  • Settings for action-based extensibility with extensions
    If you are using
    Microsoft Azure
     with action-based extensibility with extensions, the following permissions are also required.
    Setting
    Selection
    Microsoft.Compute
    • Microsoft.Compute/virtualMachines/extensions/write
    • Microsoft.Compute/virtualMachines/extensions/read
    • Microsoft.Compute/virtualMachines/extensions/delete
For related information about creating a Microsoft Azure cloud account, see Configure Microsoft Azure.

Google Cloud Platform
 (GCP) cloud account credentials

This section describes the credentials that are required to add a
Google Cloud Platform
 cloud account.
The
Google Cloud Platform
 cloud account interacts with the
Google Cloud Platform
 compute engine.
The Project Admin and Owner credentials are required for creating and validating
Google Cloud Platform
 cloud accounts.
If you are using an external HTTP Internet proxy, it must be configured for IPv4.
The compute engine service must be enabled. When creating the cloud account in
VMware Aria Automation
, use the service account that was created when the compute engine was initialized.
The following compute engine permissions are also needed, depending on the actions that the user can take.
Setting
Selection
roles/compute.admin
Provides full control of all compute engine resources.
roles/iam.serviceAccountUse
Provides access to users who manage virtual machine instances that are configured to run as a service account. Grant access to the following resources and services:
  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.imageUser
Provides permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project. It also allows users to create resources, such as instances and persistent disks, based on images in the project.
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.instanceAdmin
Provides permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure shielded VMBETA settings.
For users that manage virtual machine instances (but not network or security settings or instances that run as service accounts), grant this role to the organization, folder, or project that contains the instances, or to the individual instances.
Users that manage virtual machine instances that are configured to run as a service account also need the roles/iam.serviceAccountUser role.
  • compute.acceleratorTypes
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers
  • compute.diskTypes
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers
  • compute.instanceGroups
  • compute.instanceTemplates
  • compute.instances
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineTypes
  • compute.networkEndpointGroups
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/compute.instanceAdmin.v1
Provides full control of compute engine instances, instance groups, disks, snapshots, and images. Also provides read access to all compute engine networking resources.
If you grant a user this role at the instance level, that user cannot create new instances.
  • compute.acceleratorTypes
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes
  • compute.disks
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images
  • compute.instanceGroupManagers
  • compute.instanceGroups
  • compute.instanceTemplates
  • compute.instances
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes
  • compute.licenses
  • compute.machineTypes
  • compute.networkEndpointGroups
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

NSX-T
 cloud account credentials

This section describes the credentials that are required to add an
NSX-T
 cloud account.
As of
NSX-T
 Data Center 3.1, custom roles are supported.
Provide an account with the following read and write privileges.
  • NSX-T
     IP address or FQDN
  • NSX-T
     user name and password
Associate the user with both the
Audit
 role and the custom role, which has the specified privileges outlined below. Add this user to
VMware Aria Automation
 as a cloud account for seamless authentication with
NSX-T
.
The following lists the minimum privileges required for the custom role.
Category/Subcategory
Permission
Networking - Tier-0 Gateways
Read-only
Networking - Tier-0 Gateways -> OSPF
None
Networking - Tier-1 Gateways
Full Access
Networking - Segments
Full Access
Networking - VPN
None
Networking - NAT
Full Access
Networking - Load Balancing
Full Access
Networking - Forwarding Policy
None
Networking - Statistics
None
Networking - DNS
None
Networking - DHCP
Full Access
Networking - IP Address Pools
None
Networking - Profiles
Read-only
Security - Threat Detection & Response
None
Security - Distributed Firewall
Full Access
Security - IDS/IPS & Malware Prevention
None
Security - TLS Inspection
None
Security - Identity Firewall
None
Security - Gateway Firewall
None
Security - Service Chain Management
None
Security - Firewall Time Window
None
Security - Profiles
None
Security - Service Profiles
None
Security - Firewall Settings
Full Access
Security - Gateway Security Settings
None
Inventory
Full Access
Troubleshooting
None
System
None
Administrators also require access to the
vCenter
 as described in the
vCenter cloud account credentials
 section of this topic.

NSX-V
 cloud account credentials

This section describes the credentials that are required to add an
NSX-V
 cloud account.
Provide an account with the following read and write privileges:
  • NSX-V
     Enterprise Administrator role and access credentials
  • NSX-V
     IP address or FQDN
Administrators also require access to the
vCenter
 as described in the
Add a
vCenter
 cloud account
 section of this table.

VMware Cloud on AWS
 (VMC on AWS) cloud account credentials

This section describes the credentials that are required to add an
VMware Cloud on AWS
 (VMC on AWS) cloud account.
Provide an account with the following read and write privileges:
  • The cloudadmin@vmc.local account or any user account in the CloudAdmin group
  • NSX
     Enterprise Administrator role and access credentials
  • NSX
     Cloud Admin access to your organization's
    VMware Cloud on AWS
     SDDC environment
  • Administrator access to your organization's
    VMware Cloud on AWS
     SDDC environment
  • The
    VMware Cloud on AWS
     API token for your
    VMware Cloud on AWS
     environment in your organization's
    VMware Cloud on AWS
     service
  • vCenter
     IP address or FQDN
Administrators
also
 require access to the
vCenter
 as described in the
Add a vCenter cloud account
 section of this table.
For more information about the permissions needed to create and use
VMware Cloud on AWS
 cloud accounts, see
Managing the VMware Cloud on AWS Data Center
 in
VMware Cloud on AWS
product documentation.

VMware Cloud Director (vCD) cloud account credentials

This section describes the credentials that are required to add a VMware Cloud Director (vCD) cloud account.
Creating a VMware Cloud Director cloud account in
VMware Aria Automation
 requires that you provide account credentials for a VMware Cloud Director user with the Organization Administrator role. Specifically, the following subset of the Organization Administrator role, available in VMware Cloud Director, is needed for creating and validating VMware Cloud Director cloud accounts in
VMware Aria Automation
:
Setting
Selection
Access All Organization vDCs
All
Catalog
  • Add vApp from My Cloud
  • View Private and Shared Catalogs
  • View Published Catalogs
General
  • Administrator Control
  • Administrator View
Metadata File Entry
Create/Modify
Organization Network
  • Edit Properties
  • View
Organization vDC Gateway
  • View
  • Edit Properties
  • View Properties
Organization vDC
  • View
  • View CPU and Memory Reservation
Organization
  • Edit Properties
  • View
Quota Policy Capabilities
View
VDC Template
  • Instantiate
  • View
vApp Template / Media
  • Copy
  • Create/Upload
  • Edit
  • View
  • VAPP_VM_METADATA_TO_VCENTER
vApp Template
  • Change Owner
  • Checkout
  • Download
vApp
  • Change Owner
  • Copy
  • Create / Reconfigure
  • Delete
  • Download
  • Edit Properties
  • Edit VM CPU
  • Edit VM CPU and Memory reservation settings in all VDC types
  • Edit VM Hard Disk
  • Edit VM Memory
  • Edit VM Network
  • Edit VM Properties
  • Manage VM Password Settings
  • Power Operations
  • Sharing
  • Snapshot Operations
  • Upload
  • Use Console
  • VM Boot Options
  • View ACL
  • View VM metrics
vDC Group
  • Configure
  • Configure Logging
  • View
Creating and using a VMware Cloud Director cloud account in
VMware Aria Automation
 is not supported if
VMware Aria Automation
 has FIPS enabled.

VMware Aria Operations
 integration credentials

This section describes the credentials that are required to integrate with
VMware Aria Operations
. Note that these credentials are established and configured in
VMware Aria Operations
, not in
VMware Aria Automation
.
Provide a local or non-local login account to
VMware Aria Operations
 with the following read privileges.
  • Adapter Instance
    vCenter
     Adapter > VC Adapter Instance for
    vCenter-FQDN
A non-local account might need to be imported first, before you can assign its read-only role.

NSX
 integration with
Microsoft Azure
 VMware Solution (AVS) for
VMware Aria Automation

For information about connecting
NSX
 running on
Microsoft Azure
 VMware Solution (AVS) to
VMware Aria Automation
, including configuring custom roles, see NSX-T Data Center cloudadmin user permissions in the Microsoft product documentation.

Content feedback and comments