In Introducing the Hidden Power of the PowerCLI SDK blog post, we introduced the PowerCLI SDK. In today’s post, we’ll show you how to use this SDK. You’ll learn to automate repetitive tasks within your VMware Cloud Foundation (VCF) environment. Rotating ESXI credentials is example for such repetitive task.
Rotating ESXi Credentials
One important step toward securing your datacenter is regularly rotating the credentials of your ESXi hosts. In environments with tens or even hundreds of hosts, doing this manually is both tedious and error-prone.
In this post, we’ll walk through a PowerCLI script. This script automates the rotation of ESXi host credentials across your datacenter. It takes just a few minutes.
Identifying Required Cmdlets
To automate this task, we need to identify which cmdlets are required. The PowerCLI SDK makes this easy with the Get-VcfSddcManagerOperation cmdlet.
We’re looking to:
- Retrieve the list of ESXi hosts
- Invoke the credential rotation API
- Monitor the task status
Let’s start by exploring the available APIs.
PS /> Get-VcfSddcManagerOperation -Path “*/v1/hosts”
This gives us:
Name : CommissionHosts
CommandInfo : Invoke-VcfCommissionHosts
…
Name : GetHosts
CommandInfo : Invoke-VcfGetHosts
Next:
PS /> Get-VcfSddcManagerOperation -Path “*/v1/credentials”
Relevant output:
Name : UpdateOrRotatePasswords
CommandInfo : Invoke-VcfUpdateOrRotatePasswords
…
And finally:
PS /> Get-VcfSddcManagerOperation -Path “*/v1/tasks”
We see:
Name : GetTasks
CommandInfo : Invoke-VcfGetTasks
…
We now know the three cmdlets we’ll use:
- Invoke-VcfGetHosts
- Invoke-VcfUpdateOrRotatePasswords
- Invoke-VcfGetTasks
Understanding the Rotation API
To call Invoke-VcfUpdateOrRotatePasswords, we need to construct a CredentialsUpdateSpec payload. Let’s consult the help documentation.
PS /> Get-Help Invoke-VcfUpdateOrRotatePasswords -Full
From the examples section, we see a pattern for constructing the payload using:
- Initialize-VcfBaseCredential
- Initialize-VcfResourceCredentials
- Initialize-VcfCredentialsUpdateSpec
PowerCLI Script: Rotate ESXi Credentials
# Retrieve all hosts
$hosts = Invoke-VcfGetHosts
# Create an array to store resource credentials
$ResourceCredentials = @()
# Loop through each host
foreach ($h in $hosts.Elements) {
# Create a base credential for each host
$BaseCredential = Initialize-VcfBaseCredential -Username “root”
# Create a resource credential entry
$ResourceCredentials += Initialize-VcfResourceCredentials `
– ResourceType “ESXI”
– Credentials $BaseCredential
– ResourceName $h.Fqdn
}
# Build the credentials update spec
$CredentialsUpdateSpec = Initialize-VcfCredentialsUpdateSpec
– OperationType “ROTATE”
– Elements $ResourceCredentials
# Execute the rotation
$task = Invoke-VcfUpdateOrRotatePasswords -credentialsUpdateSpec $CredentialsUpdateSpec
Verifying the Task Status
Notice how we saved the task object into a variable.
Now you can use the following routine to monitor the task:
$taskId = $task.Id
$count = 0
while ($count -le 10) {
$task = Invoke-VcfGetTask -Id $taskId
if ($task.Status -ne “SUCCESSFUL” -and $task.Status -ne “FAILED”)
{
Start-Sleep -Seconds 10
} else {
$task
break
}
$count = $count + 1
}
Example output:
Id : 2f59afdb-4e70-434c-89c6-1da96ec5edaa
Name : Credentials rotate operation
Type : PASSWORD_ROTATE
Status : SUCCESSFUL
…
Conclusion
With just a few lines of PowerShell, we’ve automated a process that otherwise takes hours. Credential rotation is just one of the many use cases the PowerCLI SDK enables. Stay tuned for more automation tips in future posts.
