When a user attempts to deploy a virtual machine from a blueprint that has cloud-init commands in it we then see the following exception as soon as we clone the machine and power it on
Exception
vCenter responded with "Permission to perform this operation was denied"
Logs where the exception is recorded
vRealize Automation logs
provisioning-service-app-xxxxxxx/provisioning-service-app.log
ebs-app-xxxxxxx/ebs-app.log
catalog-service-app-xxxxxxx/catalog-service-app.log
tango-blueprint-service-app-xxxxxxx/tango-blueprint-service-app.log
proxy-service-xxxxxxx/squid-proxy.log
vCenter
vpxd-xxxx.log
Snippets
vCenter
2021-01-06T05:45:16.075Z verbose vpxd[04022] [Originator@6876 sub=Default opID=4d822cb6] [VpxVmomi] Invoking [reconfigure] on [vim.VirtualMachine:vm-748] session [52d723af-ca77-4846-2ffc-943a15ac0d3c(520ecdac-6870-7740-2a98-8ca92a0ed8f6)]
2021-01-06T05:45:16.075Z verbose vpxd[04022] [Originator@6876 sub=Vmomi opID=4d822cb6] Invoke error: vim.VirtualMachine.reconfigure session: 52d723af-ca77-4846-2ffc-943a15ac0d3c Throw: vim.fault.NoPermission
vRA
2021-01-06T05:45:16.059Z [priority='INFO' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.vsphere.InstanceClient.log:448 - Customizing after clone, setting cpu count to [2] on VM [VirtualMachine:vm-748].
2021-01-06T05:45:16.060Z [priority='INFO' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.vsphere.InstanceClient.log:448 - Customizing after clone, setting memory in MB to [2048] on VM [VirtualMachine:vm-748].
2021-01-06T05:45:16.067Z [priority='ERROR' thread='vsphere-io-70' user='' org='' context='' parent='' token=''] c.v.p.c.m.a.v.u.c.SOAPMessageHandler.logMessage:113 - Fault received from vCenter : <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENV="http://
schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header/><soapenv:Body>
<soapenv:Fault><faultcode>ServerFaultCode</faultcode><faultstring>Permission to perform this operation was denied.</faultstring><detail><NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission"><object type="VirtualMachine">vm-748</object><privilegeId>VApp.ApplicationConfig</privileg
eId></NoPermissionFault></detail></soapenv:Fault>
</soapenv:Body></soapenv:Envelope>
After a little bit of research found that the following permission was missing adding this specific permission to the user account which is doing this task did help in resolving this problem
vApp.vApp application configuration: Allows modification of a vApp's internal structure, such as product information and properties.
If you look at the vRA log snippet in detail it clearly tells you that what permission is needed in order to fix this issue.
<privilegeId>VApp.ApplicationConfig</privileg
eId></NoPermissionFault>
For more information on permissions or privileges refer to doco:
Comments