Password Lookup with VCF 4.0

In order to perform all the automation tasks it does, VMware Cloud Foundation (VCF) must be aware of how to communicate to all of the components in its environment. The method used to obtain a list of these accounts and the passwords used have changed from VCF version to version. Today, I’ll show you how to do this with VCF 4.0…

Within the SDDC Manager Web UI, there’s a section dedicated to password management.

Here, you can select a component from a filtered list of component types and rotate (randomly generate) or update (manually specify) the password. You will notice that there is no way to view the associated passwords though. To do this, you need to use the CLI or the API.

With the CLI, you will have to SSH to the SDDC Manager and login as the vcf user. At this point, you can execute the lookup_passwords command.

When executed, this command will prompt you for the component type that you wish to display the stored account information. In order to get the information for all the component types, you simply have to execute the lookup_passwords command multiple times.

When I’ve performed VCF deployments for customers in the past, one of the items that I liked to leave with them upon completing the deployment was a list of the passwords for everything that was deployed. As VCF deployment was new to them, it was easy for people to forget the passwords or how to retrieve them.

To avoid having to execute the lookup_passwords command multiple times, it’s easier to use the API. With the API, you can get a list of all the passwords in a single output. Well, almost all the passwords…

To use the API to retrieve the passwords with VCF 4.0, you’ll need a few things. First, you need to have access to an account with Admin rights on the SDDC Manager. People familiar with previous versions of VCF might not be aware that with VCF 4.0 another role called Operator was introduced. It’s important that you use a user with the correct level of privilege. You can identify these users using the SDDC Manager user interface.

Next, you will need a token. With VCF 4.0, tokens are required for the invocation of any API call. There are actually two different types of tokens – There is an access token and a refresh token. The access token is passed with the API call in the authorization header as a bearer token. The access token is only valid for one hour. If the access token expires, then you can use the refresh token to get a new access token. The refresh token expires in 24 hours. After this, you will have to generate a new set of tokens.

I’ll illustrate how to use these API calls from within the SDDC Manager. You can use another tool (like Postman or curl) remotely, but you’ll follow the same basic process. For my example, I’m going to use the account administrator@vsphere.local and the password of VMware123!. Of course, you would want to use the correct account information for your environment.

First, let’s get the access token. To do this, you would execute a command like this:

# curl -X POST -H "Content-Type: application/json" -d '{"username": "administrator@vsphere.local","password": "VMware123!"}' --insecure | json_pp

Here, you can see the access token and the refresh token. To make this a bit easier to use though, I typically execute this and save the access token into a variable by using a command like this:

# TOKEN=`curl -X POST -H "Content-Type: application/json" -d '{"username": "administrator@vsphere.local","password": "VMware123!"}' --insecure | awk -F "\"" '{ print $4}'`

Once I have the access token saved in a variable, it’s a bit easier to use this in sequential API calls. For example, I can use a command like this:

# curl -X GET --insecure -H 'Content-Type: application/json' -H "Authorization: Bearer $TOKEN" 'https://localhost/v1/credentials' -k | json_pp

This will output a list of all the components and the associated passwords. I can take this output and save it to a file or filter it however I would like.

One thing that you might notice is that not all the account information is displayed either through the API call or through the lookup_passwords command. In particular, there are three specific accounts missing. These are:

  • The root user for the SDDC Manager
  • The vcf user for the SDDC Manager
  • The admin password for the SDDC Manager APIs

Changing the root or vcf user on the SDDC Manager simply requires using the standard passwd command. Changing the admin password however, requires that you use the /opt/vmware/vcf/commonsvcs/scripts/auth/ script. This basically just sets the password in the /etc/nginx/.htpasswd file.

You should change the passwords for these accounts on a regular basis, in accordance with your security policy.

Hopefully, this helps you with your password management of VCF! Enjoy!