VMware is the virtualization standard within the corporate datacenter. An all too common practice is to use common passwords for the most privileged accounts within VMware environments. How many VM admins utilize the same root password for all of their ESXi servers? When was the last time your root password for ESXi servers was changed? There has to be a better way.
In this talk we will showcase the evolution of managing VMware credentials. The goal will be to demonstrate how HashiCorp Vault can be used to help VMware Admins move to short-lived, dynamic credentials within ESXi and vSphere environments. Join us to learn:
- How to use dynamic credentials within your VMware environment.
- How VMware Admins can utilize existing tools like PowerCLI with HashiCorp Vault.
- Ways you can use HashiCorp Vault to manage, control and rotate VMWare credentials in an automated manner.
- Discovery of ESXi hosts using PowerCLI
- Pull root password for each ESXi host using Vault REST API
- Generate unique passwords per host and update Vault
- Version Passwords within Vault
- HashiCorp Vault cluster that is reachable via PowerCLI. (Inbound TCP port 8200 to Vault)
Create Vault policy for 'vmadmins' with ACL settings specifed via vmadmins.hcl via the Vault UI
Picture?
Alternatively this can be done via the Vault CLI
vault policy write vmadmins policies/vmadmins.hcl
Associate the VMware Admins Active Directory group with the Vault vmadmins policy.
vault write "auth/ldap/groups/VMware Admins" policies=vmadmins
If you are not using LDAP authentication withn Vault you can us an alternative authentication method. Below is an example associating username password authentication to the Vault vmadmins policy
vault write auth/userpass/users/vmadmin password={Your_Password} policies=vmadmins
- A version 2 K/V secrets backend mounted at
systemcreds - Passwords are stored under the Vault path: /systemcreds/esxihosts/$vmhost
Ex.
Utilize esxi_password_seed.ps1 to connect to vCenter, loop through all hosts write them, along with the specified password to Vault.
.\esxi_password_seed.ps1 -vcenter {vcenter} -vaultserver {vault server} -hostpwd {PasswordtoSeed} -vaulttoken {vaulttoken}Example:
.\esxi_password_seed.ps1 -vcenter vc.lab.local -vaultserver https://vault.lab.local:8200 -hostpwd NewP@ssw0rdLogin to the UI copy the token.
Alternatively this can be done via the Vault CLI
vault token create -period 24h -policy vmadmins
Utilize esxi_password_update.ps1 to read the existing root password from Vault, connect to vCenter, loop through all hosts connected with vCenter, generate a random password and set it for each host, and record the new password with Vault - keeping a versioned history.
.\esxi_password_update.ps1 -vcenter {vcenter} -vaultserver {vault server -vaulttoken {vaulttoken}Example:
.\esxi_password_update.ps1 -vcenter vc.lab.local -vaultserver https://vault.lab.local:8200
Utilize esxi_password_read.ps1 PowerCLI script to read the existing root password for all hosts in Vault.
Example:
.\esxi_password_read.ps1 -vcenter vc.lab.local -vaultserver https://vault.lab.local:8200
Below are some of the manual and partially automated options for rotating ESXi root passwords:
Changing an ESXi root password manually via PowerCLI.
$CurrentPassword = "VMware1!"
$NewPassword = "NewP@ssw0rd"
Connect-VIServer host1.lab.local -User root -Password $CurrentPassword
Set-VMHostAccount -UserAccount root -Password $NewPassword
Disconnect-VIServer host1.lab.local -Confirm:$FalseChanging an ESXi root password manually using Host Profiles.
*Note: Host Profiles are currently licesened to VMware Enterprise Plus customers only *
Changing the ESXi root password of all hosts via PowerCLI.
Utilize esxi_password_batch_update.ps1 PowerCLI script to perform a batch update against all hosts within vCenter.
.\esxi_password_batch_update.ps1 -vcenter {vcenter} -currentpwd {CurrentHostPassword} -newpwd {NewPassword to set}Example:
.\esxi_password_batch_update.ps1 -vcenter vc.lab.local -currentpwd VMware1! -newpwd NewP@ssw0rd