vcfops_fleet_passwords

VCF Operations — fleet password management (VCF 9.x).

The VCF Operations 9.1 suite-api exposes a fleet-wide password manager at /suite-api/api/fleet-management/password-management. Each managed password account (vCenter root, NSX admin, ESXi root, SSO admin, …) is identified by an opaque passwordAccountKey; query results include expiration metadata (expiryDate as a unix-millisecond timestamp, status: ACTIVE / EXPIRING / EXPIRED / UNKNOWN).

Endpoints used here (all on the VCF Operations host):

  • POST   /suite-api/api/fleet-management/password-management/accounts/query — paginated list, with optional appliance / applianceFqdn / status / username / vcfDomainId filters; query params page, pageSize, sortBy, sortOrder.

  • PUT    /suite-api/api/fleet-management/password-management/accounts/{passwordAccountKey}/password — set a new password; returns a WorkflowRequest describing the async credential-rotation job VCF Operations kicked off.

Auth is the same VCF Operations bearer-token surface used by every other vcfops_* client (see saltext.vcf.utils.vcfops).

This module is the recommended way to administer fleet passwords on VCF 9.x; saltext.vcf.clients.fleet_password (SDDC Manager-backed) is retained for older deployments but the SDDC password surface is being deprecated.

saltext.vcf.clients.vcfops_fleet_passwords.query_accounts(opts, *, appliance=None, appliance_fqdn=None, status=None, username=None, vcf_domain_id=None, page=0, page_size=10, sort_by=None, sort_order=None, profile=None)[source]

Raw paginated search; returns the unmodified VcfPasswordAccountsResponse.

Most callers want list_() (walks pagination, enriches with expiryDateIso); this is the low-level handle for clients that need fine-grained control over paging.

saltext.vcf.clients.vcfops_fleet_passwords.list_(opts, *, profile=None, page_size=100, **filters)[source]

List every managed password account.

Walks pagination and returns {"accounts": [...], "totalCount": N}. Each account dict is enriched with expiryDateIso (the ISO-8601 rendering of expiryDate in UTC, or None when the account never expires).

filters accepts the same keyword filters as query_accounts() (appliance, appliance_fqdn, status, username, vcf_domain_id).

saltext.vcf.clients.vcfops_fleet_passwords.get_account(opts, password_account_key, profile=None)[source]

Return the single account record matching password_account_key, or None if no account with that key is currently registered.

saltext.vcf.clients.vcfops_fleet_passwords.check_expiry(opts, *, threshold_days=90, profile=None, **filters)[source]

Categorize accounts into ok / expiring / noExpiry buckets.

threshold_days — accounts whose expiryDate is within this many days of “now” land in expiring (including already-expired accounts, which have a negative daysUntilExpiry). Default 90.

Returns:

{
    "ok": [...],            # daysUntilExpiry > threshold_days
    "expiring": [...],      # 0 ... threshold_days (and <0 if expired)
    "noExpiry": [...],      # expiryDate == 0 (e.g. admin accounts)
    "okCount": int,
    "expiringCount": int,
    "noExpiryCount": int,
    "totalCount": int,
    "expiryThresholdDays": threshold_days,
}

Each ok / expiring account is augmented with daysUntilExpiry (float, rounded to 1 decimal). noExpiry entries are returned as-is.

filters accepts the same keyword filters as list_(), so callers can scope the check to a single appliance / fqdn / domain.

saltext.vcf.clients.vcfops_fleet_passwords.update(opts, password_account_key, current_password, new_password, username=None, profile=None)[source]

Update the password for password_account_key.

Returns the WorkflowRequest dict describing the async rotation job VCF Operations enqueued (requestId, state, duration, errorCause, …). The actual rotation may take minutes; poll the requestId via the workflow API if you need to wait for completion.