VCF 9.1 Fleet Management API (3): Automated Password Management

On By David ZhangIn Cloud Foundation

Welcome to the third entry in our VCF 9.1 Fleet Management Blog Series. In our previous posts, we discussed automating certificate lifecycles using both custom and integrated Certificate Authorities. Today, we turn our attention to another foundational security pillar: credential rotation and password management.

Maintaining compliance often dictates regular password updates across your infrastructure. Manually changing passwords for thousands of ESX hosts is operationally impossible and prone to human errors. By performing password controls natively through the VCF Operations API, infrastructure teams can programmatically rotate, verify, and track user credentials at scale.

In this blog post, we will walk through the multi-step API workflow to rotate the root password of an individual ESX host. While we are using an individual ESX host’s root account as our practical example, this same API and workflow can be used to manage all VCF components.

The Setup

For this example, we will rotate the root account credentials for a specific ESX.

  • VCF Operations FQDN: flt-ops01a.rainpole.io
  • Target ESXi Host FQDN: sfo01-m01-r01-esx01.sfo.rainpole.io
  • Target Account: root

Step 1: Get the Password Resource Key

Before modifying credentials, you must obtain the unique Resource key mapped to the target account. We query the VCF Operations password management endpoint, filtering by the applianceFqdn, credentialType and account status.

API Request:

curl --request POST \
  --url 'https://flt-ops01a.rainpole.io/suite-api/api/fleet-management/password-management/accounts/query?page=0&pageSize=20' \
  --header 'accept: application/json' \
  --header 'authorization: Bearer {{apiAccessToken}}' \
  --header 'content-type: application/json' \
  --data '{
    "status": "ACTIVE",
    "applianceFqdn": "sfo01-m01-r01-esx01.sfo.rainpole.io",
    "credentialType": "SSH"
  }'

Key Response Output:

From the JSON return payload, extract the exact passwordAccountKey string:

{
  "vcfPasswordAccounts": [
    {
      "passwordAccountKey": "3ba32dd6-32b9-9f1c-c265-b1a0cc328916",
      "applianceFqdn": "sfo01-m01-r01-esx01.sfo.rainpole.io",
      "userName": "root",
      "status": "ACTIVE",
      "appliance": "ESX",
      "credentialType": "SSH",
      "accountType": "USER"
    }
  ]
}

Step 2: Update the ESXi Host Password

Using the passwordAccountKey retrieved in Step 1, issue a PUT request to update the ESX host password for its root account. Here we must supply both the existing password string and the desired new password string.

Important: To avoid unnecessary task failure, ensure that the new password strictly meets the complexity requirements defined in your VCF password policy before executing the API call.

API Request:

curl --request PUT \
  --url https://flt-ops01a.rainpole.io/suite-api/api/fleet-management/password-management/accounts/3ba32dd6-32b9-9f1c-c265-b1a0cc328916/password \
  --header 'accept: application/json' \
  --header 'authorization: Bearer {{apiAccessToken}}' \
  --header 'content-type: application/json' \
  --data '{
    "currentPassword": "VMw@re1!",
    "newPassword": "VMware123! VMware123!"
  }'

Response:

The password update is an asynchronous task, so the Password Update API returns a requestId.

{
  "requestId": "2f84f3dc-65c0-4df1-a3dd-a7d2590881e3",
  "requestName": "updatepassword",
  "requestType": "Update Password",
  "state": "INPROGRESS",
  "category": "VCF_PASSWORD_MANAGEMENT"
}

Step 3: Track Status

Extract the requestId to poll the task status.

API Request:

Bash

curl --request GET \
  --url https://flt-ops01a.rainpole.io/suite-api/api/workflows/requests/2f84f3dc-65c0-4df1-a3dd-a7d2590881e3 \
  --header 'accept: application/json' \
  --header 'authorization: Bearer {{apiAccessToken}}' \
  --header 'content-type: application/json'

Initial Polling Status:

While the backend processes the update, the task status is INPROGRESS:

{
  "requestId": "2f84f3dc-65c0-4df1-a3dd-a7d2590881e3",
  "state": "INPROGRESS",
  "category": "VCF_PASSWORD_MANAGEMENT"
}

Final Status Check:

Re-poll the endpoint until the state changes to COMPLETED:

{
  "requestId": "2f84f3dc-65c0-4df1-a3dd-a7d2590881e3",
  "state": "COMPLETED",
  "errorCause": [],
  "category": "VCF_PASSWORD_MANAGEMENT"
}

Conclusion

Because VCF Operations standardizes password management, the workflow demonstrated today isn’t limited to ESX hosts; it serves as the universal API blueprint for handling passwords across all VCF components. For environments that use a dedicated Privileged Access Management (PAM) system, these APIs can serve as the baseline integration layer. CyberArk users can leverage the upcoming CyberArk VCF Password Management plugin, built directly on top of these VCF Password Management APIs, to manage, vault, and rotate VCF components’ passwords.

Stay tuned for the next entry in our series, where we continue exploring VCF 9.1 programmatic automation!

Leave a comment