The problem with check_esxi_hardware and a read-only or non administrator role user (not root) is due to a PAM feature or bug in ESXi 5.1 and later depending on your point of view.
Any user that is created and assigned to any role other than the administrator role is set to denied ALL in /etc/security/access.conf. Even if you clone the administrator role and assign the user you create to this clone role it will be set to denied ALL in /etc/security/access.conf.
I have created a user "nagios" on an ESXi 5.5 host locally (not through vCenter) and assigned it to the "Read Only Role" under the permissions tab. By default its permissions in access.conf are "-:nagios:ALL"
If I ssh to the ESXi host and edit /etc/security/access.conf and change the nagios user permissions to "+:nagios:sfcb" or "+:nagios:ALL" then check_esxi_hardware works.
Using "+:nagios:sfcb" restricts the user "nagios" so it can only access the CIM Service.
The problem you now encounter is changes to /etc/security/access.conf aren't persistent across reboots.
This is a thread in the VMware communities discussing this problem:
https://communities.vmware.com/thread/464552?start=15&tstart=0
This is a very good article discussing the same problem using wbem:
https://alpacapowered.wordpress.com/2013/09/27/configuring-and-securing-local-esxi-users-for-hardware-monitoring-via-wbem/
These are two blogs discussing making changes persistent over reboots in ESXi:
www.therefinedgeek.com.au/index.php/2012/02/01/enabling-ssh-access-in-esxi-5-0-for-non-root-users/
www.virtuallyghetto.com/2011/08/how-to-persist-configuration-changes-in.html
I can't make the last two links hyperlinks as this is my first post to serverfault and until you have 10 reputation points you can only put two links in an answer (which is fair).
I haven't decided which solution I will use to make the this persistent across reboots. I am still testing.
Thanks