Article number
000004599
Affected Versions
8.5
Source Hypervisor
GCVE
Target Hypervisor
Azure VMware Solution

Error: “Permission to perform this operation was denied.” when VRA Install / Upgrade Fails in VMaaS Environment

Viewed 382 times

Summary

In VMaaS environments (GCVE, CloudSimple, OVS) administrators can generally install ZVM 'out of the box' with no additional configuration required.  However when they reach the point of installing the VRAs, this can fail due to the service account on the ZVM not being assigned to the Administrator role within vCenter.

Root Cause

The VRA install / upgrade failure is caused by the ZVM's service account not having Administrator privileges within vCenter.

Symptoms

When upgrading or installing a VRA in a VMaaS environment with insufficient permissions on the ZVM's service account, administrators may see an error like the following:

Upgrading VRA on host 'esxi-xxx.yyyyyyyy.zz-zzzzzz' from version 8.0 Update 2 Build 080207132 to version 8.5 Build 0850082270. Failed: Permission to perform this operation was denied.

Solution

VMaaS customers must create a new account within vCenter to operate as the ZVM's service account.  This is the account that will be communicating with vCenter going forward.  The ZVM's service account must be assigned to the Administrator role in vCenter.  In order to create a new account within vCenter, users must elevate the permissions of the 'Cloudowner' account within the VMaaS portal.  VMaaS users should following these steps if the error mentioned above is encountered:

  1. Elevate permissions of the Cloudowner account.  This will allow the Cloudowner account to create new users in vCenter.  Regardless of the VMaaS offering, the process for elevation of the Cloudowner account is very similar.

    1. GCVE:  https://cloud.google.com/vmware-engine/docs/private-clouds/howto-elevate-privilege

    2. CloudSimple:  https://docs.microsoft.com/en-us/azure/vmware-cloudsimple/escalate-private-cloud-privileges

  2. After Cloudowner permissions have been elevated, Cloudowner can now create new user accounts in vCenter.  Without elevating permissions, this is not possible.  Create a new user and assign it to the Administrator role in vCenter.

    1. NOTE: Once the new user has been created in vCenter, elevated permissions are no longer required since the account being used for Zerto is an Administrator account.

  3. RDP into the VMaaS ZVM server.

  4. Open the Zerto Diagnostic utility and choose the option 'Reconfigure Zerto Virtual Manager'.

  5. On the first screen of the wizard (vCenter Server Connectivity) specify the newly created account that you have assigned to the Administrator role and provide the password.  Click next until you reach the point where the validations are performed.  If vCenter credentials shows 'OK', click 'Run' and wait for the reconfigure to complete.

  6. After the reconfigure is completed, go back into the ZVM GUI of the VMaaS environment and try the install / upgrade of the VRA again.

NOTE: Once the service account is assigned to the Administrator role in vCenter, elevating permissions of the Cloudowner account is NOT required unless you wish to change the service account to something else.

NOTE: Users should NEVER log into vCenter directly with this newly created service account.  This is because GCVE / CloudSimple / OVS will automatically flag the user for removal of the Administrator group if so.