Updating service account with custom password does not reflect in SDDC Manager despite successful remediation.
search cancel

Updating service account with custom password does not reflect in SDDC Manager despite successful remediation.

book

Article ID: 423038

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • A custom password for the service account was manually updated on the management component (for example, an ESXi host, vCenter Server, NSX, etc.).
  • The service account secret password retrieved via a GET request or directly from the SDDC database does not match the password which was manually updated on the component.
TOKEN=$(curl -d '{"username" : "<sso_username>", "password" : "<sso_password>"}' -H "Content-Type: application/json" -X POST http://127.0.0.1/v1/tokens | jq -r '.accessToken')
curl -k -X GET -H "Authorization: Bearer "$TOKEN"" --insecure 'https://localhost/v1/system/credentials/service' | json_pp | less

{
      "serviceType" : "SDDC_MANAGER",
      "entityId" : "9189####-####-####-####-########8251",
      "username" : "svc-vcf-####-##",
      "id" : "688d####-####-####-####-########ad5e",
      "entityType" : "ESXI",
      "targetType" : "ESXI",
      "serviceId" : "2f7a####-####-####-####-########cb79",
      "secret" : "##############",
      "credentialType" : "SSH",
      "creationTime" : 16#######96,
      "modificationTime" : 16#######96

}

Environment

VMware SDDC Manager 

Resolution

  • Manually updated service account passwords will be automatically rotated by SDDC Manager once the remediation process is complete.
  • SDDC manager updates its stored password 

It is expected behavior of service accounts  : If passwords for service accounts were updated manually, SDDC Manager auto-rotates the passwords for those accounts after this remediation step.

 

Additional Information

https://techdocs.broadcom.com/us/en/vmware-cis/private-ai/foundation-with-nvidia/5-2/manage-passwords.html

  • Service accounts that are automatically generated during bring-up, host commissioning, and workload creation.
  • Service accounts have a limited set of privileges and are created for communication between products. Passwords for service accounts are randomly generated by SDDC Manager.  The password for the service accounts can not be set manually on the management components (vCenter,ESXI,NSX,etc.). To update the credentials of service accounts, you can rotate the passwords.
    Powered by Wolken Software