The current server datastore api update password script (here) does not work once the datastore is added to the Portal, which is essential for esri suggested user and item access management referenced in blog posts and documentation:
Once you add the data store to the organization, share the data store item to make it available to the organization members who need to publish data from it. For database data store items, share the item with groups whose members will be publishing from data in ArcGIS Pro or publishing from service definition files in ArcGIS Server Manager. When members of the group publish to one of the federated servers with which you registered the data store, ArcGIS Pro and the federated server recognize that the group members have access to the data store and will allow them to publish without having to register a data store separately.
The current item.update() for Portal does not update passwords, as it only updates properties and not the item on the servers. We cannot only register to the server through the server manager (which the above linked script expects) since it does not allow us any means to control access to groups or users.
Once the datastore item is added to portal, we are not able to update its password programmatically through the API and we must manually use the Update Password button located in the settings page of the datastore item. This process is cumbersome and creates issues if not done in a certain order. Workarounds are inefficient since we either lose the ability to manage item access through Portal (needed) or lose the ability to perform programmatic password changes (needed) and would result in managing duplicate registrations across multiple server site datastores.
Since a connection file also needs to validate the user/pw when it is created, this creates a conflict of what should be done first, and the process has to follow a strict order of operations so that the user does not get locked out by validation checks.
All services using the registered datastore must be stopped across all server sites or it will lock the user in the db.
When the datastores settings page is loaded, it triggers a validation. If the password was changed in the database with a new password (to create the sde connection file needed for the UI) before this page is opened, this could/does lock the user in the db. Opening the settings page must be done after the services are stopped on all server sites does not lock the user. After it is validated, we can change the password in the db and create the new sde connection file. When the sde connection file is created, it also validates the user/pw. The process requires that I manually upload the sde connection file through the UI's Update Password, then be validated and saved. If there is any issue and the old connection is replaced, the immediate validations or attempts to connect lock the user in the db.
This process as is cannot be automated without needing to pause and perform manual operations. When we need to rotate passwords for 15+ registered datastores, it requires a lot of application changes (arcgis manager, ssms, pro, enterprise), increases outage times, and introduces a lot of intermediate steps where errors can occur.
I need the update password GUI process to be exposed to the ArcGIS for Python API (adding/including to this idea) so I can programmatically update the registered datastores in my enterprise environment and across my server sites. Being able to use the API to update the password will eliminate the back and forth between the settings page, ssms, and Pro and will allow us to programmatically update the passwords while being able to control user access to the item as described by esri.
