This assumes that the user will actually login with the password right after VM creation.

What I have seen in various clouds, that this might not be the case for years for some VMs, as prevailing amount of users are using ssh keys for first and all consecutive logins.

But yes, sure, this really depends on the usecase and policies and setup.

On Wed, 15 Oct 2025, 07:20 , <hamid.lotfi@gmail.com> wrote:

Thanks, Dmitriy.
I completely agree that sensitive information should not be sent via user-data. However, the point is that if we expire the password by sending it like this:
chpasswd: { expire: True }
The password shown in the metadata becomes invalid, and the new password is not displayed there.