For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
    • NVIDIA Switch Infrastructure
    • I want to...
  • Quick Start
    • Start Here
    • Getting Started with Config Manager
    • TUI Wizard Reference
    • Configuration Samples
    • Interfaces
    • Local Development Quick Start
    • First Run Tour
  • Config Manager Overview
    • Config Manager Concepts
    • Getting Started with Nautobot
  • User Guides
    • New Site Bringup
    • Workflow Lifecycle
  • Deployment
    • Hosting Options
    • Network Topology Requirements
    • Firewall Ports
    • Airgapped Deployment
    • Troubleshooting
  • Services
      • Network Infrastructure Automation with Temporal
      • Temporal Deployment Process
      • Temporal CLI
      • Workflows for Day 2 Operations
        • BMC Provisioning
        • Configuration Backup
        • Configuration Deploy
        • Connected Host Metadata
        • Device Cable Validation
        • Device Password Rotation
        • Device Reprovisioning
        • Hardware Validation
        • InfiniBand Cable Validation
        • Infiniband Get Unhealthy Ports
        • Infiniband MLNX OS Upgrade
        • Multi-Deploy Workflow
        • NVLink Switch Firmware Upgrade
        • Port LLDP Info
        • Site Cable Validation
        • Site Password Rotation
        • Switch OS Upgrade
        • VPC Creation
        • VPC Deletion
      • Temporal API
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogo
On this page
  • User Interface
  • Form Inputs
  • Device Support
  • Workflow Execution
  • Multi-Stage Process with Auto-Approval
  • Auto-Approval Logic
  • Configuration Requirements
  • Password Mappings
  • Vault Integration
ServicesTemporal ServiceWorkflows for Day 2 Operations

Device Password Rotation

||View as Markdown|
Previous

Device Cable Validation

Next

Device Reprovisioning

Rotates a user account’s password on a network device with auto-approval for password-only changes.

User Interface

Form Inputs

Users interact with a device and secret selection form:

FieldDescriptionSelection TypeRequired
SiteChoose the site containing the deviceSingle dropdown from available sitesYes
DeviceSelect the device for password rotationSingle dropdown from devices in selected siteYes
Selected SecretChoose the user account to rotateSingle dropdown from configured password mappingsYes

Device Support

This workflow supports the following device platforms:

  • Cumulus Linux
  • NVOS

Workflow Execution

Multi-Stage Process with Auto-Approval

  1. Load intended configuration
  2. Validate diff
  3. Apply configuration to device
  4. Post-deployment backup

Auto-Approval Logic

The workflow implements auto-approval based on diff content analysis.

The following scenarios are auto-approved:

  • Password-only changes for the target user
  • nv set/unset system aaa user <username> hashed-password
  • No other configuration modifications present

The following scenarios are not auto-approved:

  • Diff invalid if it includes non-password changes
  • Unsupported platforms
  • Missing password mappings in device config context
  • Invalid configuration syntax or structure

Configuration Requirements

Password Mappings

Devices must have password mappings configured in their Nautobot configuration context. For example:

1password_mappings:
2  default:
3    cumulus:
4      password: "vault/path/to/cumulus/password"
5      rotation: "current"
6    admin:
7      password: "vault/path/to/admin/password"
8      rotation: "current"
9  # Role-specific mappings override defaults
10  spine:
11    cumulus:
12      password: "vault/path/to/spine/cumulus/password"
13      rotation: "current"

Vault Integration

  • Passwords are retrieved from HashiCorp Vault using configured backend paths
  • The rotation field specifies which version to use (e.g., “r1”, “r2”)
  • Backend paths must exist and be accessible to the workflow execution environment