VMware LLC

06/09/2025 | News release | Distributed by Public on 06/09/2025 04:20

Rotating Credentials in VCF using PowerCLI SDK

In Introducing the Hidden Power of the PowerCLI SDK blog post, we introduced the PowerCLI SDK. In today's post, we'll show you how to use this SDK. You'll learn to automate repetitive tasks within your VMware Cloud Foundation (VCF) environment. Rotating ESXI credentials is example for such repetitive task.

Rotating ESXi Credentials

One important step toward securing your datacenter is regularly rotating the credentials of your ESXi hosts. In environments with tens or even hundreds of hosts, doing this manually is both tedious and error-prone.

In this post, we'll walk through a PowerCLI script. This script automates the rotation of ESXi host credentials across your datacenter. It takes just a few minutes.

Identifying Required Cmdlets

To automate this task, we need to identify which cmdlets are required. The PowerCLI SDK makes this easy with the Get-VcfSddcManagerOperation cmdlet.

We're looking to:

  1. Retrieve the list of ESXi hosts
  2. Invoke the credential rotation API
  3. Monitor the task status

Let's start by exploring the available APIs.

PS /> Get-VcfSddcManagerOperation -Path "*/v1/hosts"

This gives us:

Name : CommissionHosts
CommandInfo : Invoke-VcfCommissionHosts

Name : GetHosts
CommandInfo : Invoke-VcfGetHosts

Next:

PS /> Get-VcfSddcManagerOperation -Path "*/v1/credentials"

Relevant output:

Name : UpdateOrRotatePasswords
CommandInfo : Invoke-VcfUpdateOrRotatePasswords

And finally:

PS /> Get-VcfSddcManagerOperation -Path "*/v1/tasks"

We see:

Name : GetTasks
CommandInfo : Invoke-VcfGetTasks

We now know the three cmdlets we'll use:

  • Invoke-VcfGetHosts
  • Invoke-VcfUpdateOrRotatePasswords
  • Invoke-VcfGetTasks

Understanding the Rotation API

To call Invoke-VcfUpdateOrRotatePasswords, we need to construct a CredentialsUpdateSpec payload. Let's consult the help documentation.

PS /> Get-Help Invoke-VcfUpdateOrRotatePasswords -Full

From the examples section, we see a pattern for constructing the payload using:

  • Initialize-VcfBaseCredential
  • Initialize-VcfResourceCredentials
  • Initialize-VcfCredentialsUpdateSpec

PowerCLI Script: Rotate ESXi Credentials

# Retrieve all hosts

$hosts = Invoke-VcfGetHosts

# Create an array to store resource credentials

$ResourceCredentials = @()

# Loop through each host

foreach ($h in $hosts.Elements) {

# Create a base credential for each host

$BaseCredential = Initialize-VcfBaseCredential -Username "root"

# Create a resource credential entry

$ResourceCredentials += Initialize-VcfResourceCredentials `

- ResourceType "ESXI"

- Credentials $BaseCredential

- ResourceName $h.Fqdn

}

# Build the credentials update spec

$CredentialsUpdateSpec = Initialize-VcfCredentialsUpdateSpec

- OperationType "ROTATE"

- Elements $ResourceCredentials

# Execute the rotation

$task = Invoke-VcfUpdateOrRotatePasswords -credentialsUpdateSpec $CredentialsUpdateSpec

Verifying the Task Status

Notice how we saved the task object into a variable.
Now you can use the following routine to monitor the task:

$taskId = $task.Id
$count = 0
while ($count -le 10) {
$task = Invoke-VcfGetTask -Id $taskId
if ($task.Status -ne "SUCCESSFUL" -and $task.Status -ne "FAILED")
{
Start-Sleep -Seconds 10
} else {
$task
break
}
$count = $count + 1
}

Example output:

Id : 2f59afdb-4e70-434c-89c6-1da96ec5edaa
Name : Credentials rotate operation
Type : PASSWORD_ROTATE
Status : SUCCESSFUL

Conclusion

With just a few lines of PowerShell, we've automated a process that otherwise takes hours. Credential rotation is just one of the many use cases the PowerCLI SDK enables. Stay tuned for more automation tips in future posts.

VMware LLC published this content on June 09, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on June 09, 2025 at 10:20 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at support@pubt.io