When upgrading to vCenter Server 8x the lookup service fails to start causing the upgrade itself to fail

The lookup service prestart log will contain similar to the following (var/log/vmware/lookupsvc/prestart.log):

INFO:__main__:Executing lookupsvc prestart script
INFO:__main__:Failure granting permissions to lookupsvc VCDB role. stdout :  | error : 2025-09-13 08:33:66,653 ERROR : during Generation of the diff: Invalid identifier: "Example_DB_Role"

vCenter Server 8x

This occurs when there has been a custom role created on the vCenter Database with an unsupported format.

Supported format for database role name is [A-Za-z0-9_] (alphanumeric and underscore). Any other special characters in the name is not supported and can cause this issue.

Note: Creating custom roles in the vCenter database is not recommended.

Additional information:

• Even though the db role name in this example; "Example_DB_Role"  - looks supported, this issue can still occur due to the way upper case characters are handled.

To resolve the issue, we have either drop the role or rename it to a supported format.
 

• Connect to the vCenter database using the below command:

 /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres
 

•  List the database roles using below command 

 \du
 
Note: Here we should see the custom database role which was causing the issue.
 

• Drop the role from the database using below command:

DROP ROLE "Example_DB_Role";

Note: If the role has privileges on the database, then the drop role command will not succeed. To drop the role we need to remove all the privileges associated with the role.

• There are some third party solutions (sas, movere) which are configured with read only access to the vCenter database. During their configuration, the following commands are used for creating the custom roles

CREATE ROLE "Example_DB_Role" login password 'my_password';
GRANT CONNECT ON DATABASE "VCDB" TO "Example_DB_Role";
GRANT USAGE ON SCHEMA vc TO "Example_DB_Role";
GRANT SELECT ON ALL TABLES IN SCHEMA vc TO "Example_DB_Role"
 

• In this case, to execute the below commands to drop the role

REVOKE SELECT ON ALL TABLES IN SCHEMA vc FROM "Example_DB_Role";
REVOKE USAGE ON SCHEMA vc FROM "Example_DB_Role";
REVOKE CONNECT ON DATABASE "VCDB" FROM "Example_DB_Role";
DROP ROLE "Example_DB_Role";

Note: The db role name can be different

• If dropping the role is not an option, we can rename the role to a supported format using the below command:

ALTER ROLE "Example_DB_Role" RENAME TO "exampledbrole";

Note: After renaming the role customer has to update their solution with the new name.