{"id":2038,"date":"2024-08-07T13:51:26","date_gmt":"2024-08-07T17:51:26","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=2038"},"modified":"2024-08-07T13:55:37","modified_gmt":"2024-08-07T17:55:37","slug":"powercli-13-3-scheduled-snapshot-removal-and-privilege-report","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/scripting\/powercli-13-3-scheduled-snapshot-removal-and-privilege-report\/","title":{"rendered":"PowerCLI 13.3, Scheduled Snapshot Removal, and Privilege Report"},"content":{"rendered":"\n

PowerCLI 13.3 was recently released (https:\/\/blogs.vmware.com\/PowerCLI\/2024\/07\/introducing-powercli-13-3.html<\/a>). This release has a handful of really good features that we’ll explore below.<\/p>\n\n\n\n

vSphere modules updated to vSphere 8.0U3<\/h2>\n\n\n\n

The vSphere modules in PowerCLI 13.3 have been updated to support vSphere 8.0U3 features. One of the 8.0U3 features I was interested in automating was the scheduled deletion of a virtual machine snapshot. In the vCenter Server UI > Developer Tools > Code capture could show us the code needed to schedule this new feature, for example:<\/p>\n\n\n\n

$entity = New-Object VMware.Vim.ManagedObjectReference\n$entity.Type = 'VirtualMachine'\n$entity.Value = 'vm-39'\n$spec = New-Object VMware.Vim.ScheduledTaskSpec\n$spec.Scheduler = New-Object VMware.Vim.HourlyTaskScheduler\n$spec.Scheduler.ActiveTime = [System.DateTime]::Parse('08\/07\/2024 17:02:00')\n$spec.Scheduler.Interval = 1\n$spec.Scheduler.Minute = 2\n$spec.Notification = 'bwuchner@example.com'\n$spec.Name = 'test-tc-09 - Hourly delete snapshot schedule'\n$spec.Action = New-Object VMware.Vim.MethodAction\n$spec.Action.Argument = New-Object VMware.Vim.MethodActionArgument[] (2)\n$spec.Action.Argument[0] = New-Object VMware.Vim.MethodActionArgument\n$spec.Action.Argument[1] = New-Object VMware.Vim.MethodActionArgument\n$spec.Action.Argument[1].Value = New-Object VMware.Vim.SnapshotSelectionSpec\n$spec.Action.Argument[1].Value.RetentionDays = 3\n$spec.Action.Name = 'RemoveAllSnapshots_Task'\n$spec.Description = ''\n$spec.Enabled = $true\n$_this = Get-View -Id 'ScheduledTaskManager-ScheduledTaskManager'\n$_this.CreateScheduledTask($entity, $spec)<\/code><\/pre>\n\n\n\n
However, running the above with prior versions of PowerCLI (ie 13.2 or earlier) resulted in the following errors:<\/p>\n\n\n\n
New-Object : Cannot find type [VMware.Vim.SnapshotSelectionSpec]: verify that the assembly containing this type is\nloaded.\nAt line:1 char:34\n+ ... ction.Argument[1].Value = New-Object VMware.Vim.SnapshotSelectionSpec\n+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException\n    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand\n\n\nThe property 'RetentionDays' cannot be found on this object. Verify that the property exists and can be set.\nAt line:1 char:1\n+ $spec.Action.Argument[1].Value.RetentionDays = 3\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException\n    + FullyQualifiedErrorId : PropertyNotFound<\/code><\/pre>\n\n\n\n
However, with PowerCLI 13.3 this code works as expected and returns the managed object reference ID of the created schedule:<\/p>\n\n\n\n
Type          Value\n----          -----\nScheduledTask schedule-203<\/code><\/pre>\n\n\n\n
Looking in the vSphere Server UI we can also confirm that the scheduled task exists.<\/p>\n\n\n\n
Get-VIPrivilegeReport<\/h2>\n\n\n\n
William Lam had previously posted about using the List Privilege Check<\/code> API introduced in vSphere 8.0U1.  This API would show the minimum required permissions to do specific actions, which is especially helpful if we want to use a service account with least privilege to run an automated task.  PowerCLI 13.3 introduces the ability to easily call this API for a specific code block.<\/p>\n\n\n\n
As an example, I used the following:<\/p>\n\n\n\n
$pr = Get-VIPrivilegeReport {\n# above code for scheduled deletion of a virtual machine snapshot\n}<\/code><\/pre>\n\n\n\n
This created a $pr<\/code> variable with a privilege report for all the privileges that would be required to schedule such a task.  If we look at the $pr<\/code> variable we’ll see:<\/p>\n\n\n\n
EntityId                 Principal    Privilege                           Server\n--------                 ---------    ---------                           ------\nvim.Folder-group-d1      bwuchner@lab System.Read                         vc3\nvim.Folder-group-d1      bwuchner@lab System.View                         vc3\nvim.VirtualMachine-vm-39 bwuchner@lab ScheduledTask.Create                vc3\nvim.VirtualMachine-vm-39 bwuchner@lab System.Read                         vc3\nvim.VirtualMachine-vm-39 bwuchner@lab VirtualMachine.State.RemoveSnapshot vc3<\/code><\/pre>\n\n\n\n
Using this list, we can see that in addition to the default Read\/View access, our service account will need ScheduledTask.Create<\/code> and VirtualMachine.State.RemoveSnapshot<\/code> privileges in our custom role.  <\/p>\n\n\n\n
Combining code capture, PowerCLI 13.3, and Get-VIPrivilegeReport<\/code> can provide an experience that is much easier than the trial and error approach from the past.<\/p>\n","protected":false},"excerpt":{"rendered":"
PowerCLI 13.3 was recently released (https:\/\/blogs.vmware.com\/PowerCLI\/2024\/07\/introducing-powercli-13-3.html). This release has a handful of really good features that we’ll explore below. vSphere modules updated to vSphere 8.0U3 The vSphere modules in PowerCLI 13.3 have been updated to support vSphere 8.0U3 features. One … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-2038","post","type-post","status-publish","format-standard","hentry","category-scripting","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=2038"}],"version-history":[{"count":4,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2038\/revisions"}],"predecessor-version":[{"id":2042,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2038\/revisions\/2042"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=2038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=2038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=2038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}