SDDC Manager has long been the central credential store for VCF environments, providing a single place to manage, rotate, and schedule password changes across your VCF Fleet managed components. One of its most useful capabilities is automatic password rotation. Once configured, it handles the rotation lifecycle without manual intervention, reducing the risk of stale credentials lingering on critical infrastructure.
In VCF 9.0, SDDC Manager offers three preset schedules for automatic password rotation in the UI: 30, 60, and 90 days. For many organisations, that is perfectly adequate. But if your company policy requires something outside those presets, such as 15 or 45 days, the UI has no answer. This is where the REST API becomes useful, allowing you to configure custom rotation schedules beyond what the UI exposes.
It is also worth noting that the VCF Operations Console, which is taking on more password-management capabilities in VCF 9.0, does not currently support scheduled rotation. For now, scheduling remains in SDDC Manager. If you want to go deeper on the Operations Console side of the story, check out my companion post:ย Exploring Password Management in VCF 9.0 Operations.
Why Password Auto-Rotation Is Useful in VCF?
In a VCF environment, there is no shortage of components and appliances carrying credentials that need to be kept fresh, rotated, and in sync. Doing this manually across the entire fleet is tedious, error-prone, and frankly does not scale. Auto-rotation through SDDC Manager removes most of that friction. Once configured, it handles the full rotation lifecycle without any manual intervention. The practical benefits are straightforward:
- Reduces reliance on manual rotation processes and the human error that comes with them
- Improves security hygiene by ensuring privileged credentials do not sit unchanged indefinitely
- Supports compliance alignment by enforcing a consistent rotation cadence across managed components
- Reduces the chance of stale credentials lingering on critical infrastructure
Using the REST API to Set a Custom Schedule
Authentication:ย API requests require a valid bearer token.
Start with a POST to: https://<sddcmanager-fqdn>/v1/tokens using your SSO credentials.
Full details are in theย Broadcom Developer Portal.
Before making the PATCH request, run a GET against the credentials endpoint to retrieve the credential object for your target component. This gives you the exactย resourceId,ย credentialType, andย usernameย values needed to build the payload correctly. The API schema supports bothย resourceNameย andย resourceId, though in my testingย resourceIdย was the most reliable approach
GET https://<sddcmanager-fqdn>/v1/credentials?resourceType=VCENTER
Note theย resourceIdย from the response, as you will need it in the next step.
Submit the PATCH Request
Use theย PATCH https://<sddcmanager-fqdn>/v1/credentialsย endpoint with anย UPDATE_AUTO_ROTATE_POLICYย operation type. Theย autoRotatePolicyย object accepts two fields:
frequencyInDaysย is not limited to the UI presets. In testing, custom values such as 15 days were acceptedenableAutoRotatePolicyย as a boolean to enable or disable the schedule
The following payload configures a 15-day rotation schedule for a vCenter root account. In my testing, this account had no existing auto-rotation schedule configured, so this was setting one from scratch:
{
"operationType": "UPDATE_AUTO_ROTATE_POLICY",
"elements": [
{
"resourceId": "<resource-id>",
"resourceName": "vcsa01.example.local",
"resourceType": "VCENTER",
"credentials": [
{
"credentialType": "SSH",
"username": "root"
}
]
}
],
"autoRotatePolicy": {
"frequencyInDays": 15,
"enableAutoRotatePolicy": true
}
}
Once the task completes, querying the credentials endpoint will show theย autoRotatePolicyย block updated with your customย frequencyInDaysย value and aย nextScheduleย timestamp confirming when the first rotation will run.
ESX Scheduled Password Auto-Rotation: Not Supported
ESXi scheduled password auto-rotation is not available in the UI, and it’s not available in the API either. In the Broadcom developer documentation, I couldnโt find anything that explicitly states ESXi is excluded, so I tested it directly. Attempting to pass anย UPDATE_AUTO_ROTATE_POLICYย payload withย resourceType: ESXIย returns:
{
"errorCode": "PASSWORD_MANAGER_AUTO_ROTATE_INPUT_SPEC_RESOURCE_TYPE_NOT_SUPPORTED",
"arguments": [
"ESXI"
],
"message": "Resource type: ESXI not supported for auto rotate.",
"referenceToken": "UVPE5B"
}
My best guess is this is by design. ESXi ships withย Security.PasswordMaxDaysย set toย 99999, meaning local accounts are designed to never expire. A failed credential sync on a hypervisor host could lock you out of your entire compute layer, making on-demand rotation the safer choice. Theย ROTATEย operation is still fully supported if you need it.
Wrapping Up
- The UI supportsย only 30, 60, and 90-dayย presets. The API removes that restriction
- ESXi scheduled auto-rotation is not supported
- Scheduling remains in SDDC Manager. The VCF Operations Console does not support it yet
Full API documentation is available at theย Broadcom Developer Portal
I hope you found this helpful. Feel free to comment if you have any questions.