Its usually a bad idea to give full vSphere permissions to any product that you deploy on the platform.

When installing Tanzu Community Edition (TCE) on vSphere, a best practice is to create a dedicated role and service account that TCE can use to interface with vCenter. This limits the "blast radius" caused by any actions that TCE might perform.

1.) Create a user

In vCenter, create a user with a password:

2.) Create a role

In the role privileges, add the following:

Cns

• Searchable

Datastore

• Allocate space

• Browse datastore

• Low level file operations

Global

• Disable methods

• Enable methods

• Licenses

Network

• Assign network

Resource

• Assign virtual machine to resource pool

Sessions

• Message

• Validate session

Profile-driven storage

• Profile-driven storage view

vApp

• Import

Virtual machine

• Change Configuration

• Add existing disk

• Add new disk

• Add or remove device

• Advanced configuration

• Change CPU count

• Change Memory

• Change Settings

• Configure Raw device

• Extend virtual disk

• Modify device settings

• Remove disk

• Toggle disk change tracking

• Edit Inventory

• Create from existing

• Remove

• Interaction

• Power off

• Power on

• Provisioning

• Allow read-only disk access

• Allow virtual machine download

• Deploy template

• Snapshot management

• Create snapshot

• Remove snapshot

3.) Add role VC object

Add the role to the vCenter, Datastore, Network, Resource Pool, Folder, Datacenter and Cluster objects.

Select object, right click and add user and select role:

4.) Add user to TCE

Running this command on the TCE initial installer will start the graphic UI:

tanzu management-cluster create --ui --bind YOUR.JUMPHOST.IP:8080 --browser none

Finally the username and password can be entered into the GUI: