> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.nvidia.com/switch-infrastructure/config-manager/llms.txt.
> For full documentation content, see https://docs.nvidia.com/switch-infrastructure/config-manager/llms-full.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/switch-infrastructure/config-manager/_mcp/server.

# Device Password Rotation

Rotates a user account's password on a network device with auto-approval for password-only changes.

## User Interface

### Form Inputs

Users interact with a device and secret selection form:

| Field               | Description                             | Selection Type                                    | Required |
| :------------------ | :-------------------------------------- | :------------------------------------------------ | :------- |
| **Site**            | Choose the site containing the device   | Single dropdown from available sites              | Yes      |
| **Device**          | Select the device for password rotation | Single dropdown from devices in selected site     | Yes      |
| **Selected Secret** | Choose the user account to rotate       | Single dropdown from configured password mappings | Yes      |

### Device Support

This workflow supports the following device platforms:

* **Cumulus Linux**
* **NVOS**

## Workflow Execution

### Multi-Stage Process with Auto-Approval

1. Load intended configuration
2. Validate diff
3. Apply configuration to device
4. Post-deployment backup

### Auto-Approval Logic

The workflow implements auto-approval based on diff content analysis.

The following scenarios are **auto-approved**:

* Password-only changes for the target user
* `nv set/unset system aaa user <username> hashed-password`
* No other configuration modifications present

The following scenarios are **not auto-approved**:

* Diff invalid if it includes non-password changes
* Unsupported platforms
* Missing password mappings in device config context
* Invalid configuration syntax or structure

## Configuration Requirements

### Password Mappings

Devices must have password mappings configured in their Nautobot configuration context. For example:

```yaml
password_mappings:
  default:
    cumulus:
      password: "vault/path/to/cumulus/password"
      rotation: "current"
    admin:
      password: "vault/path/to/admin/password"
      rotation: "current"
  # Role-specific mappings override defaults
  spine:
    cumulus:
      password: "vault/path/to/spine/cumulus/password"
      rotation: "current"
```

### Vault Integration

* Passwords are retrieved from HashiCorp Vault using configured backend paths
* The `rotation` field specifies which version to use (e.g., "r1", "r2")
* Backend paths must exist and be accessible to the workflow execution environment