Nutanix Credentials Rotation Script with Bash

by

Introduction

Credential rotation is a fundamental part of security hygiene. For Nutanix environments that rely on ncli, automating service account password updates ensures compliance, reduces risk, and eliminates outages due to expired credentials. This guide walks through scripting secure rotation using Bash.

My Personal Repository on GitHub

Nutanix Repository on GitHub

Diagram: Credential Rotation Flow

Key Features

  • Rotates password for local or LDAP-linked users
  • Logs updates securely (masked if needed)
  • Can notify team or monitoring system
  • Compatible with password vault integration

Bash Script: nutanix_creds_rotate.sh

#!/usr/bin/env bash
set -euo pipefail

user="svc_automation"
old_pass_file="/etc/nutanix/old_pass"
new_pass_file="/etc/nutanix/new_pass"
log="/var/log/nutanix_creds_rotation.log"

# Generate new password
newpass=$(openssl rand -base64 16)

echo "$newpass" > "$new_pass_file"
chmod 600 "$new_pass_file"

echo "[$(date)] Rotating password for $user" >> "$log"

# Use ncli to update password
ncli user update user-name="$user" old-password="$(cat $old_pass_file)" password="$newpass"

# Replace old password file
mv "$new_pass_file" "$old_pass_file"

echo "[$(date)] Password rotated successfully for $user" >> "$log"

Initial Setup

  1. Populate /etc/nutanix/old_pass with the current password
  2. Set strict permissions (chmod 600)
  3. Schedule with cron:
0 3 1 * * /usr/local/bin/nutanix_creds_rotate.sh

Optional: Alert After Change

echo "Password rotated for $user" | mailx -s "Nutanix Credential Rotation" secops@example.com

Vault Integration Tips

  • Use HashiCorp Vault or CyberArk to manage and fetch current credentials
  • Replace local password files with vault read in script logic

Summary

Rotating Nutanix CLI credentials with Bash helps protect automation pipelines, service accounts, and admin access. Use this script as a secure, extensible foundation for your infrastructure credential strategy.

External Documentation:

Leave a Reply

Discover more from Digital Thought Disruption

Subscribe now to keep reading and get access to the full archive.

Continue reading