Quick Tip – Accessing the VM Console for VMs deployed using vSphere with Tanzu VM Service

 by 

One constraint of the new vSphere with Tanzu VM Service, which was introduced in vSphere 7.0 Update 2a is that the VM Console of the deployed VM is not accessible by end users including vSphere Administrators.


When things are working fine, this is generally not needed but when something goes wrong such as debugging or troubleshooting guest customization or networking issues, then having access to the VM Console is a must! In speaking with the VM Service PM, this is already being tracked in their backlog and hopefully we will have a solution for this in the future.

For now, there is a quick workaround which I have personally used it myself while deploying Nested ESXi VMs using the VM Service. Since this question has come up a few times now, I wanted to document the specific instructions and make it easy for anyone who may have a need for this. 100% Credit goes to Florian Grehl who shared this solution on his blog but on a completely unrelated topic.

UPDATE (05/20/21) – Florian also shared via Twitter, another and quicker way to access the VM Console is if you have direct ESXi host access, you can access the VM Console that way as well. I am usually logged into vCenter Server anyhow, so I prefer method outlined below.

Step 1 – SSH to the VCSA and run the following snippet which will automatically retrieve the root password for the Supervisor Cluster, print that out to console and then initiate SSH session to one of the Supervisor Cluster Nodes. This is needed because we need to login to the Supervisor Cluster to retrieve the credentials for an account that can login to the vSphere UI and open the VM Console.

SV_DECRYPT_OUTPUT=$(/usr/lib/vmware-wcp/decryptK8Pwd.py)
SV_CLUSTER_IP=$(echo ${SV_DECRYPT_OUTPUT} | awk -F ‘IP: ‘ ‘{print $2}’ | awk ‘{print $1}’)
SV_CLUSTER_ROOT_PASSWORD=$(echo ${SV_DECRYPT_OUTPUT} | awk -F ‘PWD: ‘ ‘{print $2}’ | awk ‘{print $1}’)
echo -e “\n${SV_CLUSTER_ROOT_PASSWORD}\n”
ssh root@${SV_CLUSTER_IP}


Step 2 – Once logged into the Supervisor Cluster, run the following snippet to retrieve to credentials that can then be used to login to the vSphere UI.

VM_SERVICE_ACCOUNT_USERNAME=$(kubectl get secrets wcp-vmop-sa-vc-auth -n vmware-system-vmop -o jsonpath='{.data.password}’ | base64 -d)
VM_SERVICE_ACCOUNT_PASSWORD=$(kubectl get secrets wcp-vmop-sa-vc-auth -n vmware-system-vmop -o jsonpath='{.data.username}’ |base64 -d)
echo -e “\n${VM_SERVICE_ACCOUNT_PASSWORD}\n${VM_SERVICE_ACCOUNT_USERNAME}\n”


Note: The credentials for this service account is automatically rotated every 12hours. If you need access for longer, you will need to repeat these steps.

Step 3 – Finally, open browser to your vCenter Server and login using the credentials from the previous step and you will now be able to access the VM Console of the VM that was deployed by the VM Service.