Managing ESXi Local User Accounts from Aria Automation Orchestrator

In my previous blog post Managing ESXi Local User Accounts from vCenter Server Using PowerCLI, I provided a quick walkthrough of how to manage ESXi local user accounts using VMware PowerCLI and VMware vCenter Server. This post will provide a similar walkthrough, but I will utilize VMware Aria Automation Orchestrator this time.

Getting Started

This walkthrough assumes that you already have a working VMware Aria Automation Orchestrator deployment and that you’ve already established a connection to your VMware vCenter Server instance from VMware Aria Automation Orchestrator. Additionally, the credentials used to establish your connection from VMware Aria Automation Orchestrator have Administrator privileges within your VMware vCenter Server instance.

Two main VcHostConfigManager objects within a VcHostSystem object allow us to interact with local user accounts. The first is the VcHostAccessManager which allows for managing user account access rights and Lockdown Mode. The second is the VcHostLocalAccountManager which provides for creating, updating, and removing local user accounts. We will utilize both of them throughout this walkthrough.

List All Local User Accounts

Our first goal is to obtain a list of all local user accounts from a provided VMware ESXi host. To accomplish this, we create a new VMware Aria Automation Orchestrator action called getUsers. This new action has one input which is of type VcHostSystem. In this example, my VcHostSystem input variable is called host. To obtain access rights for the user accounts as we list them, we must use the VcHostAccessManager object. So our first step is to call the retrieveHostAccessControlEntries action to retrieve the list of users and access rights from the VcHostAccessManager. Next, we create a new array called users, then loop through each user account object returned, add them to a new Properties object, add that to our users array, and output the values to the log. Finally, we return the array of Properties containing all user accounts. The final code looks like this:

var hostUsers = host.configManager.hostAccessManager.retrieveHostAccessControlEntries();
var users = new Array();
for each(var hostUser in hostUsers)
{
    var user = new Properties();
    user.principal = hostUser.principal;
    user.accessMode = hostUser.accessMode;
    users.push(user);
    System.log("User: " + user.principal + ", Access Mode: " + user.accessMode.value);
}
return users;

After executing the action, we see our Action Result variable now contains user account objects with accessMode information. Additionally, the log for the action run also lists the user accounts and the accessMode value.

Creating a New Local User Account

Our next goal is to create a new local user account for a provided VMware ESXi host. To accomplish this, we create a new VMware Aria Automation Orchestrator action called createUser. This new action has five inputs:

• Host – VcHostSystem – The VMware ESXi host where the user account will be created.
• id – string – The username for the new user account.
• password – SecureString – The password for the new user account.
• description – string – The description for the new user account.
• shellAccess – boolean – Whether or not the user account should be provided with shell access on the VMware ESXi host. This only applies to VMware ESXi 8.0 or greater.

The action creates a new object called posixAccountSpec of type VcHostPosixAccountSpec. Next, we assign all of our user account values to the various properties of the posixAccountSpec object, log the values used to generate the user account, then call the createUser method of the VcHostLocalAccountManager to create the new user account. If successful, there will be nothing returned from the function call. If unsuccessful, an error will be generated by the method. The final code looks like this:

var posixAccountSpec = new VcHostPosixAccountSpec;
posixAccountSpec.id = id;
posixAccountSpec.password = password;
posixAccountSpec.description = description;
posixAccountSpec.shellAccess = shellAccess;
System.log("Creating a new user with an ID of " + id + ", a description of '" + description + "' and shell access set to " + shellAccess);
host.configManager.accountManager.createUser(posixAccountSpec);

The following screenshots show an example run of the action to create a new user account called MyUser. Notice that there was no return, and only our log entry was generated.

Updating a Local User Account

The process of updating a local user account on VMware ESXi using VMware Aria Automation Orchestrator is similar to the method used to create the user account. The biggest difference is that we must check to see if new values are provided and only pass those values to be updated. If we provide non-null values, such as an empty string, the values in the user account will also be updated to an empty string. The easiest way to get started is to clone our VMware Aria Automation Orchestrator createUser action and call the new action updateUser. Edit the newly created action and add an additional input called updateShellAccess with the type Boolean. This new input will allow us to flag whether or not we wish to update the shellAccess option. Now, our code must be modified to check each input for null or empty strings. The following code accomplishes our goal:

var posixAccountSpec = new VcHostPosixAccountSpec;
posixAccountSpec.id = id;
if (!(password == null || password.trim() == ""))
{
    System.log("Updating the password for user '" + id + "' on host " + host.name )
    posixAccountSpec.password = password;
}
if (!(description == null || description.trim() == ""))
{
    System.log("Updating description for user '" + id + "' to '" + description + "' on host " + host.name)
    posixAccountSpec.description = description;
}
if (updateShellAccess)
{
    System.log("Updating shell access for user '" +id + "' to " + shellAccess + " on host " + host.name)
    posixAccountSpec.shellAccess = shellAccess;
}
host.configManager.accountManager.updateUser(posixAccountSpec);

The above code checks each value for null or empty strings. These checks allow us to test the code from the UI, as the UI will provide empty strings when no data is provided. One limitation created by this is that the code does not allow you to update a user’s description to an empty string which you might desire. If you only execute this code from other code, you can remove the || description.trim() == "" check from the code so that it will only ignore the description field if you explicitly pass a null value. Additionally, the code above outputs the values to the log as they are updated.

Deleting a Local User Account

Deleting a local user account from a VMware ESXi host using VMware Aria Automation Orchestrator is easy. The only input required is the host where we’ll delete the user account and the id of the user account to delete. The code for this action consists of a single line:

host.configManager.accountManager.removeUser(id);

The action will provide no return value or log entries if successful. You will receive an error message along with a failed execution if the action encounters an error, as shown below:

Conclusion

As you can see, creating the VMware Aria Automation Orchestrator actions for managing local user accounts on VMware ESXi hosts is quite simple. These actions are building blocks you can use in a standalone fashion or integrate into more complex workflows, such as updating the root user account password on all VMware ESXi hosts within a cluster or a VMware vCenter Server. Additionally, you can create and expose workflows to the VMware vSphere Client to allow your operations teams to create, update, or delete users as well as execute password updates quickly. For more information on adding VMware Aria Automation Orchestrator workflows to the VMware vSphere Client, check out my blog post, Getting Started with the Aria Automation Orchestrator Plug-in for the vSphere Client.

The code shown in this post, as well as example workflows can be downloaded as a VMware Aria Automation Orchestrator package from the Downloads page or directly from here: com.stevenbright.vcenter.hostsystem.accounts.zip.

Share:

Search

Get Notified of Future Posts

Follow Me

Recent Posts