For security reasons, you can change passwords for the accounts that are used by your SDDC Manager instance. Changing these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

You entered passwords for your VMware Cloud Foundation system as part of the bring-up procedure. You can rotate and update some of these passwords using the password management functionality in the SDDC Manager UI, including:

  • Accounts used for service consoles, such as the ESXi root account.

  • The single sign-on administrator account.

  • The default administrative user account used by virtual appliances.

  • Service accounts that are automatically generated during bring-up, host commissioning, and workload creation.

    Service accounts have a limited set of privileges and are created for communication between products. Passwords for service accounts are randomly generated by SDDC Manager. You cannot manually set a password for service accounts. To update the credentials of service accounts, you can rotate the passwords.

To provide optimal security and proactively prevent any passwords from expiring, you must rotate passwords every 80 days.

Note: Do not change the passwords for system accounts and the administrator@vsphere.local account outside of SDDC Manager. This can break your VMware Cloud Foundation system.

You can also use the VMware Cloud Foundation API to look up and manage credentials. In the SDDC Manager UI, click Developer Center > API Explorer and browse to the APIs for managing credentials.