Provides secure access to VMware vCenter 8.0+ operations, including VM lifecycle management (power operations, resource modification, deletion), snapshot operations (create, list, delete), and inventory discovery (hosts, datastores, networks, datacenters, resource utilization). Features RBAC authorization, audit logging, and rate limiting for multi-tenant environments.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g.,@vSphere-MCP-Pro what is the weather in Tokyo?
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
You can also use deployed servers via HTTP endpoints. For instructions, see How to Test MCP Streamable HTTP Endpoints Using cURL.
vSphere-MCP-Pro
A secure, feature-rich Model Context Protocol (MCP) server for VMware vCenter 8.0+.
Exposes controlled vCenter operations via MCP tools including VM lifecycle management, snapshot operations, datastore/host discovery, and more—with audit logging, RBAC authorization, session pooling, and rate limiting.
Table of Contents
Overview
vsphere-mcp-pro is an MCP server designed for VMware vCenter 8.0+ environments.
It provides:
Safe, structured access to vCenter operations
Strict authorization via roles → allowed tools
Snapshot + VM lifecycle operations
Auditing and rate limiting for secure multi-tenant use
Support for both
/api(preferred) and/restvCenter endpointsOptional host allow-listing to prevent accidental cross-cluster operations
Connection pooling to prevent vCenter session exhaustion
The server runs using FastMCP and automatically wraps every tool operation with:
Token-based RBAC (
Authorizer)Token bucket rate limiting
JSONL audit logging
Confirmation requirement for destructive operations
Proper error handling with detailed vCenter error context
Key Features
✔ Secure by design
SSL verification enabled by default
Optional CA bundle support
Allowed-host enforcement prevents unauthorized vCenter targets
✔ Strong authorization model
Token → role mapping
Role → allowed-tools mapping
Enforced unless explicitly disabled
Destructive operations require
confirm=True
✔ Operationally robust
Automatic retry logic for vCenter API calls (
Retry + HTTPAdapter)Session auto-renewal on 401
Connection pooling with automatic cleanup
Proper session logout on shutdown
Extensive logging for auditing and observability
Rich error messages with vCenter error context
✔ High performance
Thread-safe vCenter session pooling (one session per host)
Eliminates per-request authentication overhead
MCP server built with
uvicorn
Architecture
Key modules:
server.pyBuilds the MCP server, registers all tools, injects authorization, rate-limiting, session pool, and auditing wrappers.vsphere_client.pyHandles retries, authentication, session pooling, and REST/API mode switching for VMware vCenter. Includes:VsphereClient- Thread-safe vCenter REST API clientVsphereClientPool- Connection pool with automatic cleanupVsphereApiError- Rich exception class for API errors
authz.pyImplements:Token → role resolution
Role → tool gating
Token bucket rate limiting
audit.pyWrites JSON-lines logs for every operation.config.pyLoads environment variables into a typedAppConfigusingpydantic.
Directory Structure
Installation
Prerequisites
Python 3.10+
VMware vCenter 8.0+
Valid API credentials
Install from source
Configuration
Configuration is environment-driven. Copy the example file:
Required Environment Variables
Variable | Description |
| vCenter hostname/IP |
| vCenter username |
| vCenter password |
| JSON map of role → allowed tools |
| JSON map of token → role |
| Optional allowlist for multi-host deployments |
Optional Environment Variables
Variable | Default | Description |
|
| API mode: |
|
| Disable SSL verification |
| Path to custom CA bundle | |
|
| Request timeout in seconds |
|
| Number of retry attempts |
|
| Retry backoff factor |
|
| Server bind address |
|
| Server port |
|
| MCP endpoint path |
| Audit log file (blank = stdout) | |
|
| Enforce RBAC |
|
| Enable rate limiting |
|
| Requests per second |
|
| Burst allowance |
Example Configuration
Running the Server
Local execution
Server defaults (override via env vars):
Host:
0.0.0.0Port:
8000MCP path:
/mcp
Available Tools / API
Below is a categorized summary of available MCP tools exposed by the server.
VM Discovery
Tool | Description |
| List all VMs |
| Get VM details by ID |
Inventory Discovery
Tool | Description |
| List ESXi hosts |
| List datastores |
| List networks |
| List datacenters |
| Get datastore capacity/usage |
| Summary of all resources |
Power Operations
Tool | Description |
| Power on a VM |
| Power off a VM |
| Restart a VM |
Snapshot Operations
Tool | Description |
| List snapshots for a VM |
| Create a snapshot |
| Delete a snapshot (requires confirm) |
Destructive Operations (require confirm=True)
Tool | Description |
| Permanently delete a VM |
| Delete a snapshot |
| Modify CPU/memory (requires power off) |
Error Handling
The server provides rich error context via the VsphereApiError exception:
Error responses include:
HTTP status code
API path
vCenter error type (e.g.,
NOT_FOUND,ALREADY_EXISTS)Human-readable error messages from vCenter
The exception provides convenience properties:
is_not_found- 404 or NOT_FOUND erroris_unauthorized- 401 erroris_forbidden- 403 erroris_conflict- 409 error
Audit Logging
Every MCP tool call is logged as a JSON line containing:
Tool name
Execution status (ok/error)
Duration (ms)
Sanitized arguments (passwords & tokens masked)
Error message (if any)
Role + host context
Logs write to stdout by default, or to AUDIT_LOG_PATH if configured.
Rate Limiting
Uses a token-bucket strategy:
Configurable
RATE_LIMIT_RPSandRATE_LIMIT_BURSTSeparate buckets per token
Disabled by setting
RATE_LIMIT=false
Security Model
Mechanism | Purpose |
SSL verification | Prevent MITM attacks |
Allowed-host list | Prevent unauthorized target selection |
Role → tool mapping | Enforce least-privilege principle |
Token authentication | Multi-tenant safe access |
Required confirmations | Prevent accidental destructive operations |
Rate limiting | Protects vCenter and MCP server |
Session pooling | Prevents vCenter session exhaustion |
Development
Install dev deps
Run with autoreload
Docker Usage
Build
Run
Troubleshooting
"login failed: HTTP 401"
Verify vCenter username/password
Ensure correct API mode (
VSPHERE_API_MODE=api|rest)
"Hostname not in allowed set"
Add the hostname to
ALLOWED_VCENTER_HOSTS
Rate limit errors
Increase
RATE_LIMIT_BURSTAdjust per-token usage
SSL certificate issues
Set
VCENTER_CA_BUNDLEto your CA bundle pathOr disable SSL verification (not recommended):
INSECURE=true
VsphereApiError exceptions
Check the error message for vCenter-specific details
Use
error.is_not_found,error.is_forbidden, etc. for programmatic handlingVerify the VM/resource ID exists
Changelog
See CHANGELOG.md for version history and changes.
License
This project is licensed under the MIT License. See LICENSE for details.