This article provides the steps to retrieve the ESXi service accounts from SDDC Manager.

Symptoms:
Unable to SSH into an ESXi host with the stored root credentials on SDDC.

VMware Cloud Foundation 4.x
VMware Cloud Foundation 5.x

1. SSH into the SDDC Manager with vcf user and su to root
2. Create a token on the SDDC Manager. (You will need to update the username and password value)

   TOKEN=$(curl -d '{"username" : "<sso_username>", "password" : "<sso_password>"}' -H "Content-Type: application/json" -X POST http://127.0.0.1/v1/tokens | jq -r '.accessToken')
<sso_username> needs to be [email protected] <sso_password> needs to be that accounts password.  Or needs to be vpshere.local account/password with vCenter admin permissions.  AD integrated account will not work 

3. Pull the credentials from SDDC.

   curl -k -X GET -H "Authorization: Bearer "$TOKEN"" --insecure 'https://localhost/v1/system/credentials/service' | json_pp | less

   Sample output

      {
         "serviceType" : "SDDC_MANAGER",
         "entityId" : "9189####-####-####-####-########8251",
         "username" : "svc-vcf-xxxxx-xx",
         "id" : "688d####-####-####-####-########ad5e",
         "entityType" : "ESXI",
         "targetType" : "ESXI",
         "serviceId" : "2f7a####-####-####-####-########cb79",
         "secret" : "xxxxxxxxxxxxxxxxx",
         "credentialType" : "SSH",
         "creationTime" : 16#######96,
         "modificationTime" : 16#######96

   
     
   
   

Once you have the service account password you can connect to the ESXi host to clear out a root lockout or to reset the root password.