There are valid use cases for changing the cloud admin user's password. Generally speaking, passwords should always be changeable. Can we get an action for this (e.g. change-admin-password)? The manual process is not straightforward but it looks to be entirely programmable.
I don't think the action should prompt the user for a password. It should just generate one automatically and then inform any concerned API clients. The user would then query for the new one in order to update any possible user-facing tools:
$ juju run-action --wait keystone/leader change-admin-password
$ juju run --unit keystone/leader leader-get admin_passwd
Something similar exists in the vault charm (action 'reissue-certificates').
Triage: an additional action.
Peter, it might be useful to list the manual version list of commands to achieve this.