Running vecs-cli with a custom local account results in failure with ERROR_ACCESS_DENIED
search cancel

Running vecs-cli with a custom local account results in failure with ERROR_ACCESS_DENIED

book

Article ID: 430126

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When running the vecs-cli command to delete an expired CSR using a custom user account assigned with superAdmin role, it fails with an ERROR_ACCESS_DENIED error:

<User name>@<VC hostname> [ ~ ]$ /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR -y
vecs-cli failed. Error 5: Possible errors:
LDAP error: Compare False
Win Error: Operation failed with error ERROR_ACCESS_DENIED (5)

 

Environment

VMware vCenter Server

Cause

This is because the user account does not have access permissions for that store MACHINE_SSL_CERT.

You can see the current permission settings for the store using vecs-cli store get-permissions command.

# /usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name MACHINE_SSL_CERT
PERMISSIONS FOR STORE: [MACHINE_SSL_CERT]
OWNER : root
USER            ACCESS
vlcm    read
updatemgr       read
vsphere-ui      read
vpxd    read
vpostgres       read
vsm     read
vsan-health     read
lighttpd        read
rhttpproxy      write

Resolution

To add read/write permission to the user account, use vecs-cli store permission command.

example:
# /usr/lib/vmware-vmafd/bin/vecs-cli store permission --name MACHINE_SSL_CERT --user <User name> --grant write
Permissions for store [MACHINE_SSL_CERT] set  successfully
#

Additional Information

vecs-cli Command Reference

Powered by Wolken Software