Device Password Rotation

Rotates a user account’s password on a network device with auto-approval for password-only changes.

User Interface

Form Inputs

Users interact with a device and secret selection form:

Device Support

This workflow supports the following device platforms:

• Cumulus Linux
• NVOS

Workflow Execution

Multi-Stage Process with Auto-Approval

1. Load intended configuration
2. Validate diff
3. Apply configuration to device
4. Post-deployment backup

Auto-Approval Logic

The workflow implements auto-approval based on diff content analysis.

The following scenarios are auto-approved:

• Password-only changes for the target user
• nv set/unset system aaa user <username> hashed-password
• No other configuration modifications present

The following scenarios are not auto-approved:

• Diff invalid if it includes non-password changes
• Unsupported platforms
• Missing password mappings in device config context
• Invalid configuration syntax or structure

Configuration Requirements

Password Mappings

Devices must have password mappings configured in their Nautobot configuration context. For example:

1
password_mappings:
2
  default:
3
    cumulus:
4
      password: "vault/path/to/cumulus/password"
5
      rotation: "current"
6
    admin:
7
      password: "vault/path/to/admin/password"
8
      rotation: "current"
9
  # Role-specific mappings override defaults
10
  spine:
11
    cumulus:
12
      password: "vault/path/to/spine/cumulus/password"
13
      rotation: "current"

Vault Integration

• Passwords are retrieved from HashiCorp Vault using configured backend paths
• The rotation field specifies which version to use (e.g., “r1”, “r2”)
• Backend paths must exist and be accessible to the workflow execution environment